Systems and methods of tracking content-exposure events

ABSTRACT

In one embodiment, a method includes identifying a user-initiated precursor of an anticipated exposure event. The method also includes, in response to the identifying, automatically determining particular content that would be exposed if the exposure event were to occur. In addition, the method includes automatically determining one or more users to which the particular content would be exposed if the exposure event were to occur. Further, the method includes, before the exposure event occurs, publishing a result of the automatically determining to a user associated with the user-initiated precursor. Also, the method includes, in response to a detected occurrence of the exposure event, monitoring a plurality of communications platforms for follow-on exposure events in relation to the particular content which chain from the exposure event.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application incorporates by reference the entire disclosureof a U.S. Patent Application bearing 14/683,513 and filed on Apr. 10,2015.

BACKGROUND

Technical Field

The present disclosure relates generally to data security and moreparticularly, but not by way of limitation, to systems and methods oftracking content-exposure events.

History Of Related Art

Striking the balance between sharing information and protectingrestricted data is an age-old problem. With the proliferation ofmultiple collaboration systems, remote access, and virtual work groups,it is harder than ever to know how content is being consumed. Also,because of complex access management schemes involving individual andgroup memberships, it is difficult to determine how many people havepotential access to content if posted to a collaboration site. Emailthreads are particularly confounding, as people added later to thediscussion have access to prior comments and content.

Moreover, as the value and use of information continues to increase,individuals and businesses seek additional ways to process and storeinformation. One option available to users is information handlingsystems. An information handling system generally processes, compiles,stores, and/or communicates information or data for business, personal,or other purposes thereby allowing users to take advantage of the valueof the information. Because technology and information handling needsand requirements vary between different users or applications,information handling systems may also vary regarding what information ishandled, how the information is handled, how much information isprocessed, stored, or communicated, and how quickly and efficiently theinformation may be processed, stored, or communicated. The variations ininformation handling systems allow for information handling systems tobe general or configured for a specific user or specific use such asfinancial transaction processing, airline reservations, enterprise datastorage, or global communications. In addition, information handlingsystems may include a variety of hardware and software components thatmay be configured to process, store, and communicate information and mayinclude one or more computer systems, data storage systems, andnetworking systems.

SUMMARY OF THE INVENTION

In one embodiment, a method is performed by a computer system. Themethod includes identifying a user-initiated precursor of an anticipatedexposure event. The method also includes, in response to theidentifying, automatically determining particular content that would beexposed if the exposure event were to occur. In addition, the methodincludes automatically determining one or more users to which theparticular content would be exposed if the exposure event were to occur.Further, the method includes, before the exposure event occurs,publishing a result of the automatically determining to a userassociated with the user-initiated precursor. Also, the method includes,in response to a detected occurrence of the exposure event, monitoring aplurality of communications platforms for follow-on exposure events inrelation to the particular content which chain from the exposure event.

In one embodiment, an information handling system includes a processor.The processor is operable to implement a method. The method includesidentifying a user-initiated precursor of an anticipated exposure event.The method also includes, in response to the identifying, automaticallydetermining particular content that would be exposed if the exposureevent were to occur. In addition, the method includes automaticallydetermining one or more users to which the particular content would beexposed if the exposure event were to occur. Further, the methodincludes, before the exposure event occurs, publishing a result of theautomatically determining to a user associated with the user-initiatedprecursor. Also, the method includes, in response to a detectedoccurrence of the exposure event, monitoring a plurality ofcommunications platforms for follow-on exposure events in relation tothe particular content which chain from the exposure event.

In one embodiment, a computer-program product includes a non-transitorycomputer-usable medium having computer-readable program code embodiedtherein. The computer-readable program code is adapted to be executed toimplement a method. The method includes identifying a user-initiatedprecursor of an anticipated exposure event. The method also includes, inresponse to the identifying, automatically determining particularcontent that would be exposed if the exposure event were to occur. Inaddition, the method includes automatically determining one or moreusers to which the particular content would be exposed if the exposureevent were to occur. Further, the method includes, before the exposureevent occurs, publishing a result of the automatically determining to auser associated with the user-initiated precursor. Also, the methodincludes, in response to a detected occurrence of the exposure event,monitoring a plurality of communications platforms for follow-onexposure events in relation to the particular content which chain fromthe exposure event.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the method and apparatus of the presentinvention may be obtained by reference to the following DetailedDescription when taken in conjunction with the accompanying Drawingswherein:

FIG. 1 illustrates an embodiment of a networked computing environment.

FIG. 2 illustrates an embodiment of a Business Insight on Messaging(BIM) system.

FIG. 3 illustrates an example of a data collection process.

FIG. 4 illustrates an example of a data classification process.

FIG. 5 illustrates an example of a data query process.

FIG. 6 illustrates an example of a heuristics engine.

FIG. 7 illustrates an example of a heuristics process.

FIG. 8 illustrates an example of a data query process.

FIG. 9 illustrates an example of a user interface.

FIG. 10 illustrates an example of a user interface.

FIG. 11 illustrates an embodiment of a system for analyzing contentexposure.

FIG. 12 illustrates an example of a process for indexing fingerprints ofcentrally-accessible content items.

FIG. 13 illustrates an example of a process for indexing fingerprints ofcontent in a user environment.

FIG. 14 illustrates an example of a process for projecting a potentialexposure of a content-exposure event.

FIG. 15 illustrates an example of a process for detecting and handlingexposure events.

FIG. 16 illustrates an example of a process for a use-based analysis ofparticular content.

FIG. 17 illustrates an example of a process for performing anevent-density analysis particular content.

FIG. 18 illustrates an example of a process for providing user analyticsrelated to exposure events.

FIG. 19 illustrates an example of an interactive heat map.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS OF THE INVENTION

This disclosure describes several non-limiting examples of processes forcollecting information or data from multiple sources and analyzing theinformation to classify the data and to extract or determine additionalinformation based on the collected data. The data sources can beinternal to the business and/or external to the business. For example,the data sources can include sales databases, business or internal emailsystems, non-business or external email systems, social networkingaccounts, inventory databases, file directories, enterprise systems,customer relationship management (CRM) systems, organizationaldirectories, collaboration systems (e.g., SharePoint™ servers), etc.

As used herein, the term “business,” in addition to having its ordinarymeaning, is intended to include any type of organization or entity. Forexample, a business can include a charitable organization, agovernmental organization, an educational institution, or any otherentity that may have one or more sources of data to analyze. Further,the user of any of the above terms may be used interchangeably unlessexplicitly used otherwise or unless the context makes clear otherwise.In addition, as used herein, the term “data” generally refers toelectronic data or any type of data that can be accessed by a computingsystem.

For purposes of this disclosure, an information handling system mayinclude any instrumentality or aggregate of instrumentalities operableto compute, calculate, determine, classify, process, transmit, receive,retrieve, originate, switch, store, display, communicate, manifest,detect, record, reproduce, handle, or utilize any form of information,intelligence, or data for business, scientific, control, or otherpurposes. For example, an information handling system may be a personalcomputer (e.g., desktop or laptop), tablet computer, mobile device(e.g., personal digital assistant (PDA) or smart phone), server (e.g.,blade server or rack server), a network storage device, or any othersuitable device and may vary in size, shape, performance, functionality,and price. The information handling system may include random accessmemory (RAM), one or more processing resources such as a centralprocessing unit (CPU) or hardware or software control logic, ROM, and/orother types of nonvolatile memory. Additional components of theinformation handling system may include one or more disk drives, one ormore network ports for communicating with external devices as well asvarious input and output (I/O) devices, such as a keyboard, a mouse,touchscreen and/or a video display. The information handling system mayalso include one or more buses operable to transmit communicationsbetween the various hardware components.

I. Example of a Networked Computing Environment

FIG. 1 illustrates an embodiment of a networked computing environment100. The networked computing environment 100 can include a computingenvironment 102 that is associated with a business or organization. Thecomputing environment 102 may vary based on the type of organization orbusiness. However, generally, the computing environment 102 may includeat least a number of computing systems. For example, the computingenvironment may include clients, servers, databases, mobile computingdevices (e.g., tablets, laptops, smartphones, etc.), virtual computingdevices, shared computing devices, networked computing devices, and thelike. Further, the computing environment 102 may include one or morenetworks, such as intranet 104.

The computing environment 102 includes a central management platform192. As illustrated, the central management platform 192 can include aBIM system 130 and a content-exposure analysis system 127. The centralmanagement platform 192 can include one or more computer systems; beunitary or distributed; span multiple locations; span multiple machines;or reside in a cloud, which may include one or more cloud components inone or more networks. In certain embodiments, these components of thecentral management platform 192 are operable to interact with the BIMsystem 130, for example, over the intranet 104. In certain otherembodiments, these components of the central management platform 192 canbe contained on a same computer system or have direct communicationlinks such that no communication over the intranet 104 needs to occur.In various cases, communication among the components of the centralmanagement platform 192 can occur via a combination of the foregoing.

A user can access the central management platform 192 using anycomputing system, such as an information handling system, that cancommunicate with the central management platform 192. For example, theuser can access the central management platform 192 using client 114,which can communicate with the central management platform 192 via theintranet 104, client 116, which can communicate via a directcommunication connection with the central management platform 192, orclient 118, which can communicate with the central management platform192 via the network 106. As illustrated in FIG. 1, in some embodimentsthe client 118 may not be associated with the computing environment 102.In such embodiments, the client 118 and/or a user associated with theclient 118 may be granted access to the central management platform 192.The clients 114, 116, and 118 may include any type of computing systemincluding, for example, a laptop, desktop, smartphone, tablet, wearableor body-borne computer, or the like. In some embodiments, the centralmanagement platform 192 (e.g., the BIM system 130) may determine whetherthe user is authorized to access central management platform 192 asdescribed in further detail below.

Using the BIM system 130, a user can examine the data available to abusiness regardless of where the data was generated or is stored.Further, in some embodiments, the user can use the BIM system 130 toidentify trends and/or metadata associated with the data available tothe BIM system 130. In certain embodiments, the BIM system 130 canaccess the data from internal data sources 120, external data sources122, or a combination of the two. The data that can be accessed from theinternal data sources 120 can include any data that is stored within thecomputing environment 102 or is accessed by a computing system that isassociated with the computing environment 102. For example, the data mayinclude information stored in employee created files, log files,archived files, internal emails, outgoing emails, received emails,received files, data downloaded from an external network or theInternet, not-yet-transmitted emails in a drafts folder, etc. The typeof data is not limited and may depend on the organization or businessassociated with the computing environment 102. For example, the data caninclude sales numbers, contact information, vendor costs, productdesigns, meeting minutes, the identity of file creators, the identity offile owners, the identity of users who have accessed a file or areauthorized to access a file, etc.

The data that can be accessed from the external data sources 122 caninclude any data that is stored outside of the computing environment 102and is publicly accessible or otherwise accessible to the BIM system130. For example, the data can include data from social networkingsites, customer sites, Internet sites, or any other data source that ispublicly accessible or which the BIM system 130 has been granted access.In some cases, a subset of the data may be unavailable to the BIM system130. For example, portions of the computing environment 102 may beconfigured for private use.

The internal data sources 120 can include any type of computing systemthat is part of or associated with the computing environment 102 and isavailable to the BIM system 130. These computing systems can includedatabase systems or repositories, servers (e.g., authentication servers,file servers, email servers, collaboration servers), clients, mobilecomputing systems (including e.g., tablets, laptops, smartphones, etc.),virtual machines, CRM systems, content-management platforms, directoryservices, such as lightweight directory access protocol (LDAP) systems,and the like. Further, in some cases, the internal data sources 120 caninclude the clients 114 and 116. The external data sources 122 caninclude any type of computing system that is not associated with thecomputing environment 102, but is accessible to the BIM system 130. Forexample, the external data sources 122 can include any computing systemsassociated with cloud services, social media services, hostedapplications, etc.

The BIM system 130 can communicate with the internal data sources 120via the intranet 104. The intranet 104 can include any type of wiredand/or wireless network that enables computing systems associated withthe computing environment 102 to communicate with each other. Forexample, the intranet 104 can include any type of a LAN, a WAN, anEthernet network, a wireless network, a cellular network, a virtualprivate network (VPN) and an ad hoc network. In some embodiments, theintranet 104 may include an extranet that is accessible by customers orother users who are external to the business or organization associatedwith the computing environment 102.

The BIM system 130 can communicate with the external data sources 122via the network 106. The network 106 can include any type of wired,wireless, or cellular network that enables one or more computing systemsassociated with the computing environment 102 to communicate with theexternal data sources 122 and/or any computing system that is notassociated with the computing environment 102. In some cases, thenetwork 106 can include the Internet.

The BIM system 130 can include a data collection system 132, a dataclassification system 134, and a BIM access system 136. The datacollection system 132 can collect data or information from one or moredata sources for processing by the BIM system 130. In some embodiments,the data collection system 132 can reformat the collected data tofacilitate processing by the BIM system 130. Further, in some cases, thedata collection system 132 may reformat collected data into a consistentor defined format that enables the comparison or processing of data thatis of the same or a similar type, but which may be formatted differentlybecause, for example, the data is obtained from different sources. Thedata collection system 132 is described in more detail below withreference to FIG. 2.

The data classification system 134 can store and classify the dataobtained by the data collection system 132. In addition to predefinedclassifications, the data classification system 134 can identify anddevelop new classifications and associations between data using, forexample, heuristics and probabilistic algorithms. The dataclassification system 134 is described in more detail below withreference to FIG. 3.

The BIM access system 136 can provide users with access to the BIMsystem 130. In some embodiments, the BIM access system 136 determineswhether a user is authorized to access the BIM system 130. The BIMaccess system 136 enables a user to query one or more databases (notshown) of the data classification system 134 to obtain access to thedata collected by the data collection system 132. Further, the BIMaccess system 136 enables a user to mine the data and/or to extractmetadata by, for example, creating queries based on the data and thedata classifications. Advantageously, in certain embodiments, becausethe data classification system 134 can classify data obtained from anumber of data sources, more complex queries can be created compared toa system that can only query its own database or a single data source.

Additionally, in certain embodiments, the BIM access system 136 canenable users to create, share, and access query packages. As describedin greater detail below, a query package can encapsulate one or morepre-defined queries, one or more visualizations of queried data, andother package attributes. When a user selects a query package, the querypackage can be executed in a determined manner in similar fashion toother queries. As an additional advantage, in some embodiments, becausethe data classification system 134 can use heuristics and probabilisticalgorithms to develop and modify data classifications over time, userqueries are not limited to a set of predefined search variables. The BIMaccess system 136 is described in more detail below with reference toFIG. 3.

In certain embodiments, the content-exposure analysis system 127 canproject, track, and analyze exposure events related to communicationsand other content collected from the internal data sources 120 and/orthe external data sources 122. An exposure event can be, for example, anevent whose occurrence would result in content being exposed to one ormore additional users. In some cases, increased exposure may bedesirable (e.g., if trying to market product materials). In other cases,decreased exposure can be desirable (e.g., if content id sensitive orconfidential). Example operation of the content-exposure analysis system127 will be described in greater detail with respect to FIGS. 11-19.

II. Examples of Collecting, Classifying, and Querying Data

FIG. 2 illustrates an embodiment of an implementation of the BIM system130. As previously described above, the BIM system 130 can include adata collection system 132 configured to, among other things, collectdata from the internal data sources 120 and/or the external data sources122. The data collection system 132 can include a collection engine 202,an access manager 204, a business logic engine 206, and a business logicsecurity manager 208.

Generally, the collection engine 202 may access the internal datasources 120 thereby providing the BIM system 130 with access to datathat is stored by or generated by the internal data sources 120. Thisdata can include any data that may be created, accessed, or received bya user or in response to the actions of a user who is associated withthe computing environment 102. Further, in some embodiments, thecollection engine 202 can access the external data sources 122 therebyproviding the BIM system 130 with access to data from the external datasources 122. In some embodiments, the data can include metadata. Forexample, supposing that the collection engine 202 accesses a fileserver, the data can include metadata associated with the files storedon the file server, such as the file name, file author, file owner, timecreated, last time edited, etc.

In some cases, a number of internal data sources 120 and/or externaldata sources 122 may require a user or system to be identified and/orauthenticated before access to the data source is granted.Authentication may be required for a number of reasons. For example, thedata source may provide individual accounts to users, such as a socialnetworking account, email account, or collaboration system account. Asanother example, the data source may provide different features based onthe authorization level of a user. For example, a billing system may beconfigured to allow all employees of an organization to view invoices,but to only allow employees of the accounting department to modifyinvoices.

For data sources that require authentication or identification of aspecific user, the access manager 204 can facilitate access to the datasources. The access manager 204 can manage and control credentials foraccessing the data sources. For example, the access manager 204 canstore and manage user names, passwords, account identifiers,certificates, tokens, and any other information that can be used toaccess accounts associated with one or more internal data sources 120and/or external data sources 122. For instance, the access manager 204may have access to credentials associated with a business's Facebook™ orTwitter™ account. As another example, the access manager may have accessto credentials associated with an LDAP directory, a file managementsystem, or employee work email accounts.

In some embodiments, the access manager 204 may have credentials orauthentication information associated with a master or super useraccount enabling access to some or all of the user accounts withoutrequiring credentials or authentication information associated with eachof the users. In some cases, the collection engine 202 can use theaccess manager 204 to facilitate accessing internal data sources 120and/or external data sources 122.

The business logic engine 206 can include any system that can modify ortransform the data collected by the collection engine 202 into astandardized format. In some embodiments, the standardized format maydiffer based on the data source accessed and/or the type of dataaccessed. For example, the business logic engine 206 may format dataassociated with emails, data associated with files stored at thecomputing environment 102, data associated with web pages, and dataassociated with research files differently. However, each type of datamay be formatted consistently. Thus, for example, data associated withproduct design files may be transformed or abstracted into a commonformat regardless of whether the product design files are of the sametype. As a second example, suppose that the business logic engine 206 isconfigured to record time using a 24-hour clock format. In this secondexample, if one email application records the time an email was sentusing a 24-hour clock format, and a second email application uses a12-hour clock format, the business logic engine 206 may reformat thedata from the second email application to use a 24-hour clock format

In some embodiments, a user may define the format for processing andstoring different types of data. In other embodiments, the businesslogic engine 206 may identify a standard format to use for each type ofdata based on, for example, the format that is most common among similartypes of data sources, the format that reduces the size of theinformation, or any other basis that can be used to decide a dataformat.

The business logic security manager 208 can include any system that canimplement security and data access policies for data accessed by thecollection engine 202. In some embodiments, the business logic securitymanager 208 may apply the security and data access policies to databefore the data is collected as part of a determination of whether tocollect particular data. For example, an organization may designate aprivate folder or directory for each employee and the data accesspolicies may include a policy to not access any files or data stored inthe private directory. Alternatively, or in addition, the business logicsecurity manager 208 may apply the security and data access policies todata after it is collected by the collection engine 202. Further, insome cases, the business logic security manager 208 may apply thesecurity and data access policies to the abstracted and/or reformatteddata produced by the business logic engine 206. For example, suppose theorganization associated with the computing environment 102 has adopted apolicy of not collecting emails designated as personal. In this example,the business logic security manager 208 may examine email to determinewhether it is addressed to an email address designated as personal(e.g., email addressed to family members) and if the email is identifiedas personal, the email may be discarded by the data collection system132 or not processed any further by the BIM system 130.

In some embodiments, the business logic security manager 208 may apply aset of security and data access policies to any data or metadataprovided to the classification system 134 for processing and storage.These security and data access policies can include any policy forregulating the storage and access of data obtained or generated by thedata collection system 132. For example, the security and data accesspolicies may identify the users who can access the data provided to thedata classification system 134. The determination of which users canaccess the data may be based on the type of data. The business logicsecurity manager 208 may tag the data with an identity of the users, orclass or role of users (e.g., mid-level managers and more senior) whocan access the data. As another example, of a security and data accesspolicy, the business logic security manager 208 may determine how longthe data can be stored by the data classification system 134 based on,for example, the type of data or the source of the data.

After the data collection system 132 has collected and, in some cases,processed the data obtained from the internal data sources 120 and/orthe external data sources 122, the data may be provided to the dataclassification system 134 for further processing and storage. The dataclassification system 134 can include a data repository engine 222, atask scheduler 224, an a priori classification engine 226, an aposteriori classification engine 228, a heuristics engine 230 and a setof databases 232.

The data repository engine 222 can include any system for storing andindexing the data received from the data collection system 132. The datarepository engine 222 can store the data, including any generatedindexes, at the set of databases 232, which can include one or moredatabases or repositories for storing data. In some cases, the set ofdatabases 232 can store data in separate databases based on any factorincluding, for example, the type of data, the source of data, or thesecurity level or authorization class associated with the data and theclass of users who can access the data.

In some implementations, the set of databases 232 can dynamically expandand, in some cases, the set of databases 232 may be dynamicallystructured. For example, if the data repository engine 222 receives anew type of data that includes metadata fields not supported by theexisting databases of the set of databases 232, the data repositoryengine 222 can create and initialize a new database that includes themetadata fields as part of the set of databases 232. For instance,suppose the organization associated with the computing environment 102creates its first social media account for the organization to expandits marketing initiatives. Although the databases 232 may have fieldsfor customer information and vendor information, it may not have a fieldidentifying whether a customer or vendor has indicated they “like” or“follow” the organization on its social media page. The data repositoryengine 222 can create a new field in the databases 232 to store thisinformation and/or create a new database to capture informationextracted from the social media account including information thatrelates to the organization's customers and vendors.

In certain embodiments, the data repository engine 222 can createabstractions of and/or classify the data received from the datacollection system 132 using, for example, the task scheduler 224, the apriori classification engine 226, the a posteriori classification engine228, and the heuristics engine 230. The task scheduler 224 can includeany system that can manage the abstraction and classification of thedata received from the data collection system 132. In some embodiments,the task scheduler 224 can be included as part of the data repositoryengine 222.

Data that is to be classified and/or abstracted can be supplied to thetask scheduler 224. The task scheduler 224 can supply the data to the apriori classification engine 226, which can include any system that canclassify data based on a set of user-defined, predefined, orpredetermined classifications. These classifications may be provided bya user (e.g., an administrator) or may be provided by the developer ofthe BIM system 130. Although not limited as such, the predeterminedclassifications generally include objective classifications that can bedetermined based on attributes associated with the data. For example,the a priori classification engine 226 can classify communications basedon whether the communication is an email, an instant message, or a voicemail. As a second example, files may be classified based on the filetype, such as whether the file is a drawing file (e.g., an AutoCAD™file), a presentation file (e.g., a PowerPoint™ file), a spreadsheet(e.g., an Excel™ file), a word processing file (e.g., a Word™ file),etc. Although not limited as such, the a priori classification engine226 generally classifies data at or substantially near the time ofcollection by the collection engine 202. The a priori classificationengine 226 can classify the data prior to the data being stored in thedatabases 232. However, in some cases, the data may be stored prior toor simultaneously with the a priori classification engine 226classifying the data. The data may be classified based on one or morecharacteristics or pieces of metadata associated with the data. Forexample, an email may be classified based on the email address, a domainor provider associated with the email (e.g., a Yahoo® email address or acorporate email address), or the recipient of the email.

In addition to, or instead of, using the a priori classification engine226, the task scheduler 224 can provide the data to the a posterioriclassification engine 228 for classification or further classification.The a posteriori classification engine 228 can include any system thatcan determine trends with respect to the collected data. Although notlimited as such, the a posteriori classification engine 228 generallyclassifies data after the data has been collected and stored at thedatabases 232. However, in some cases, the a posteriori classificationengine 228 can also be used to classify data as it is collected by thecollection engine 202. Data may be processed and classified orreclassified multiple times by the a posteriori classification engine228. In some cases, the classification and reclassification of the dataoccurs on a continuing basis. In other cases, the classification andreclassification of data occurs during specific time periods of events.For example, data may be reclassified each day at midnight or once aweek. As another example, data may be reclassified each time one or moreof the a posteriori algorithms is modified or after the collection ofnew data.

In some cases, the a posteriori classification engine 228 classifiesdata based on one or more probabilistic algorithms. The probabilisticalgorithms may be based on any type of statistical analysis of thecollected data. For example, the probabilistic algorithms may be basedon Bayesian analysis or probabilities. Further, Bayesian inferences maybe used to update the probability estimates calculated by the aposteriori classification engine 228. In some implementations, the aposteriori classification engine 228 may use machine learning techniquesto optimize or update the a posteriori algorithms. In some embodiments,some of the a posteriori algorithms may determine the probability that apiece or set of data (e.g., an email) should have a particularclassification based on an analysis of the data as a whole.Alternatively, or in addition, some of the a posteriori algorithms maydetermine the probability that a set of data should have a particularclassification based on the combination of probabilistic determinationsassociated with subsets of the data, parameters, or metadata associatedwith the data (e.g., classifications associated with the content of theemail, the recipient of the email, the sender of the email, etc.).

For example, continuing with the email example, one probabilisticalgorithm may be based on the combination of the classification ordetermination of four characteristics associated with the email, whichmay be used to determine whether to classify the email as a personalemail, or non-work related. The first characteristic can include theprobability that an email address associated with a participant (e.g.,sender, recipient, BCC recipient, etc.) of the email conversation isused by a single employee. This determination may be based on the emailaddress itself (e.g., topic based versus name based email address), thecreator of the email address, or any other factor that can be used todetermine whether an email address is shared or associated with aparticular individual. The second characteristic can include theprobability that keywords within the email are not associated withpeer-to-peer or work-related communications. For example, terms ofendearment and discussion of children and children's activities are lesslikely to be included in work-related communications. The thirdcharacteristic can include the probability that the email address isassociated with a participant domain or public service provider (e.g.,Yahoo® email or Google® email) as opposed to a corporate or work emailaccount. The fourth characteristic can include determining theprobability that the message or email thread can be classified asconversational as opposed to, for example, formal. For example, a seriesof quick questions in a thread of emails, the use of a number of slangwords, or excessive typographical errors may indicate that an email islikely conversational. The a posteriori classification engine 228 canuse the determined probabilities for the above four characteristics todetermine the probability that the email communication is personal asopposed to, for example, work-related, or spam email.

The combination of probabilities may not total 100%. Further, thecombination may itself be a probability and the classification can bebased on a threshold determination. For example, the threshold may beset such that an email is classified as personal if there is a 90%probability for three of the four above parameters indicating the emailis personal (e.g., email address is used by a single employee, thekeywords are not typical of peer-to-peer communication, at least some ofthe participant domains are from known public service providers, and themessage thread is conversational).

As another example of the a posteriori classification engine 228classifying data, the a posteriori classification engine 228 can use aprobabilistic algorithm to determine whether a participant of an emailis a customer. The a posteriori classification engine 228 can use theparticipant's identity (e.g., a customer) to facilitate classifying datathat is associated with the participant (e.g., emails, files, etc.). Todetermine whether the participant should be classified as a customer,the a posteriori classification engine 228 can examiner a number ofparameters including a relevant Active Directory Organizational Unit(e.g., sales, support, finance) associated with the participant and/orother participants in communication with the participant, theparticipant's presence in forum discussions, etc. In some cases,characteristics used to classify data may be weighted differently aspart of the probabilistic algorithm. For example, email domain may be apoor characteristic to classify a participant in some cases because theemail domain may be associated with multiple roles. For instance,Microsoft® may be a partner, a customer, and a competitor.

In some implementations, a user (e.g., an administrator) can define theprobabilistic algorithms used by the a posteriori classification engine228. For example, suppose customer Y is a customer of business X andthat the management of business X is interested in tracking thepercentage of communication between business X and customer Y thatrelates to sales. Further, suppose that a number of employees frombusiness X and a number of employees from business Y are incommunication via email. Some of these employees may be in communicationto discuss sales. However, it is also possible that some of theemployees may be in communication for technical support issues,invoicing, or for personal reasons (e.g., a spouse of a business Xemployee may work at customer Y). Thus, in this example, to track thepercentage of communication between business X and customer Y thatrelates to sales the user may define a probabilistic algorithm thatclassifies communications based on the probability that thecommunication relates to sales. The algorithm for determining theprobability may be based on a number of pieces of metadata associatedwith each communication. For example, the metadata may include thesender's job title, the recipient's job title, the name of the sender,the name of the recipient, whether the communication identifies aproduct number or an order number, the time of communication, a set ofkeywords in the content of the communication, etc.

Using the a posteriori classification engine 228, data may be classifiedbased on metadata associated with the data. For example, thecommunication in the above example can be classified based on whether itrelates to sales, supplies, project development, management, personnel,or is personal. The determination of what the data relates to can bebased on any criteria. For example, the determination may be based onkeywords associated with the data, the data owner, the data author, theidentity or roles of users who have accessed the data, the type of datafile, the size of the file, the data the file was created, etc.

In certain embodiments, the a posteriori classification engine 228 canuse the heuristics engine 230 to facilitate classifying data. Further,in some cases, the a posteriori classification engine 228 can use theheuristics engine 230 to validate classifications, to develop probableassociations between potentially related content, and to validate theassociations as the data collection system 132 collects more data. Incertain embodiments, the a posteriori classification engine 228 may basethe classifications of data on the associations between potentiallyrelated content. In some implementations, the heuristic engine 230 mayuse machine learning techniques to optimize or update the heuristicalgorithms.

In some embodiments, a user (e.g., an administrator) can verify whetherthe data or metadata has been correctly classified. Based on the resultof this verification, in some cases, the a posteriori classificationengine 228 may correct or update one or more classifications ofpreviously processed or classified data. Further, in someimplementations, the user can verify whether two or more pieces of dataor metadata have been correctly associated with each other. Based on theresult of this verification, the a posteriori classification engine 228using, for example, the heuristics engine 230 can correct one or moreassociations between previously processed data or metadata. Further, incertain embodiments, one or more of the a posteriori classificationengine 228 and the heuristics engine 230 may update one or morealgorithms used for processing the data provided by the data collectionsystem 132 based on the verifications provided by the user.

In some embodiments, the heuristics engine 230 may be used as a separateclassification engine from the a priori classification engine 226 andthe a posteriori classification engine 228. Alternatively, theheuristics engine 230 may be used in concert with one or more of the apriori classification engine 226 and the a posteriori classificationengine 228. Similar to the a posteriori classification engine 228, theheuristics engine 230 generally classifies data after the data has beencollected and stored at the databases 232. However, in some cases, theheuristics engine 230 can also be used to classify data as it iscollected by the collection engine 202.

The heuristics engine 230 can use any type of heuristic algorithm forclassifying data. For example, the heuristics engine 230 can determinewhether a number of characteristics are associated with the data andbased on the determination, classify the data. For example, data thatmentions a product, includes price information, addresses (e.g., billingand shipping addresses), and quantity information may be classified assales data. In some cases, the heuristics engine 230 can classify databased on a subset of characteristics. For example, if a majority ortwo-thirds of characteristics associated with a particularclassification are identified as existing in a set of data, theheuristics engine 230 can associate the classification with the set ofdata. In some cases, the heuristics engine 230 determines whether one ormore characteristics are associated with the data. In other words, theheuristics engine can determine whether a particular characteristic isor is not associated with the data. Alternatively, or in addition, theheuristics engine 230 can determine the value or attribute of aparticular characteristic associated with the data. The value orattribute of the characteristic may then be used to determine aclassification for the data. For example, one characteristic that may beused to classify data is the length of the data. For instance, in somecases, a long email may make one classification more likely that a shortemail.

The a priori classification engine 226 and the a posterioriclassification engine 228 can store the data classification at thedatabases 232. Further, the a posteriori classification engine 228 andthe heuristics engine 230 can store the probable associations betweenpotentially related data at the databases 232. In some cases, asclassifications and associations are updated based on, for example, userverifications or updates to the a posteriori and heuristicclassification and association algorithms, the data or metadata storedat the databases 232 can be modified to reflect the updates.

Users can communicate with the BIM system 130 using a client computingsystem (e.g., client 114, client 116, or client 118). In some cases,access to the BIM system 130, or to some features of the BIM system 130,may be restricted to users who are using clients associated with thecomputing environment 102. As described above, in some cases, at leastsome users can access the BIM system 130 to verify classifications andassociations of data by the data classification system 134. In addition,in some cases, at least some users can access at least some of the dataand/or metadata stored at the data classification system 134 using theBIM access system 136. The BIM access system 136 can include a userinterface 240, a query manager 242, and a query security manager 244.

The user interface 240 can generally include any system that enables auser to communicate with the BIM system 130. Further, the user interface240 enables the user to submit a query to the BIM system 130 to accessthe data or metadata stored at the databases 232. Moreover, the querycan be based on any number of or type of data or metadata fields orvariables. Advantageously, in certain embodiments, by enabling, a userto create a query based on any number or type of fields, complex queriescan be generated. Further, because the BIM system 130 can collect andanalyze data from a number of internal and external data sources, a userof the BIM system 130 can extract data that is not typically availableby accessing a single data source. For example, a user can query the BIMsystem 130 to locate all personal messages sent by the members of theuser's department within the last month. As a second example, a user canquery the BIM system 130 to locate all helpdesk requests received in aspecific month outside of business hours that were sent by customersfrom Europe. As an additional example, a product manager may create aquery to examine customer reactions to a new product release or thepitfalls associated with a new marketing campaign. The query may returndata that is based on a number of sources including, for example, emailsreceived from customers or users, Facebook® posts, Twitter® feeds, forumposts, quantity of returned products, etc.

Further, in some cases, a user can create a relatively simple query toobtain a larger picture of an organization's knowledge compared tosystems that are incapable of integrating the potentially large numberof information sources used by some businesses or organizations. Forexample, a user can query the BIM system 130 for information associatedwith customer X over a time range. In response, the BIM system 130 mayprovide the user with all information associated with customer X overthe time range, which can include who communicated with customer X, thepercentage of communications relating to specific topics (e.g., sales,support, etc.), the products designed for customer X, the employees whoperformed any work relating to customer X and the employees' roles, etc.This information may not be captured by a single source. For example,the communications may be obtained from an email server, the productsmay be identified from product drawings, and the employees and theirroles may be identified by examining who accessed specific files incombination with the employees' human resources (HR) records.

The query manager 242 can include any system that enables the user tocreate the query. The query manager 242 can cause the available types ofsearch parameters for searching the databases 232 to be presented to auser via the user interface 240. These search parameter types caninclude any type of search parameter that can be used to form a queryfor searching the databases 232. For example, the search parameter typescan include names (e.g., employee names, customer names, vendor names,etc.), data categories (e.g., sales, invoices, communications, designs,miscellaneous, etc.), stored data types (e.g., strings, integers, dates,times, etc.), data sources (e.g., internal data sources, external datasources, communication sources, sales department sources, product designsources, etc.), dates, etc. In some cases, the query manager 242 canalso parse a query provided by a user. For example, some queries may beprovided using a text-based interface or using a text-field in aGraphical User Interface (GUI). In such cases, the query manager 242 maybe configured to parse the query.

The query manager 242 can further include any system that enables theuser to create or select a query package that serves as the query. Incertain embodiments, the query manager 242 can maintain query packagesfor each user, group of users, and/or the like. The query packages canbe stored, for example, in a SQL database that maintains each user'squery packages in a table by a unique identifier. In some embodiments,each user may have a profile that includes a list of package identifiersfor that user. The query manager 242 can cause query packages associatedwith the user to be presented and made selectable via the user interface240. In various embodiments, the query manager 242 can also facilitatecreation of new query packages. New query packages can be madeaccessible to users in various ways. For example, the new query packagescan be created by the user, shared with the user by another user, pushedto the user by an administrator, or created in another fashion.

Further, the query manager 242 can cause any type of additional optionsfor querying the databases 232 to be presented to the user via the userinterface 240. These additional options can include, for example,options relating to how query results are displayed or stored.

In some cases, access to the data stored in the BIM system 130 may belimited to specific users or specific roles. For example, access to thedata may be limited to “Bob” or to senior managers. Further, some datamay be accessible by some users, but not others. For example, salesmanagers may be limited to accessing information relating to sales,invoicing, and marketing, technical managers may be limited to accessinginformation relating to product development, design and manufacture, andexecutive officers may have access to both types of data, and possiblymore. In certain embodiments, the query manager 242 can limit the searchparameter options that are presented to a user for forming a query basedon the user's identity and/or role.

The query security manager 244 can include any system for regulating whocan access the data or subsets of data. The query security manager 244can regulate access to the databases 232 and/or a subset of theinformation stored at the databases 232 based on any number and/or typesof factors. For example, these factors can include a user's identity, auser's role, a source of the data, a time associated with the data(e.g., the time the data was created, a time the data was last accessed,an expiration time, etc.), whether the data is historical or current,etc.

Further, the query security manager 244 can regulate access to thedatabases 232 and/or a subset of the information stored at the databases232 based on security restrictions or data access policies implementedby the business logic security manager 208. For example, the businesslogic security manager 208 may identify all data that is “sensitive”based on a set of rules, such as whether the data mentions one or morekeywords relating to an unannounced product in development. Continuingthis example, the business logic security manager 208 may label thesensitive data as, for example, sensitive, and may identify which usersor roles, which are associated with a set of users, can access datalabeled as sensitive. The query security manager 244 can then regulateaccess to the data labeled as sensitive based on the user or the roleassociated with the user who is accessing the databases 232.

Although illustrated separately, in some embodiments, the query securitymanager 244 can be included as part of the query manager 242. Further,in some cases, one or both of the query security manager 244 and thequery manager 242 can be included as part of the user interface 240. Incertain embodiments, some or all of the previously described systems canbe combined or further divided into additional systems. Further, some orall of the previously described systems may be implemented in hardware,software, or a combination of hardware and software.

FIG. 3 presents a flowchart of an example of a data collection process300. The process 300 can be implemented by any system that can accessone or more data sources to collect data for storage and analysis. Forexample, the process 300, in whole or in part, can be implemented by oneor more of the data collection system 132, the collection engine 202,the access manager 204, the business logic engine 206, and the businesslogic security manager 208. In some cases, the process 300 can beperformed generally by the BIM system 130. Although any number ofsystems, in whole or in part, can implement the process 300, to simplifydiscussion, the process 300 will be described in relation to specificsystems or subsystems of the BIM system 130.

The process 300 begins at block 302 where, for example, the collectionengine 202 accesses data from the internal data sources 120. At block304, the collection engine 202 accesses data from the external datasources 122. In some cases, either the block 302 or 304 may be optional.Accessing the data may include obtaining the data or a copy of the datafrom the internal data sources 120. Further, accessing the data mayinclude accessing metadata associated with the data. In someembodiments, the collection engine 202 may obtain copies of the metadataor access the data to obtain or determine metadata associated with thedata without obtaining a copy of the data. For example, in some cases,the collection engine 202 may access email from an email server toobtain metadata (e.g., sender, recipient, time sent, whether files areattached, etc.) associated with email messages with or, in some cases,without obtaining a copy of the email.

As previously described, accessing one or more of the internal datasources 120 and the external data sources 122 may involve using one ormore credentials or accessing one or more accounts associated with thedata sources. In such embodiments, the collection engine 202 may use theaccess manager 204 to access the credentials and/or to facilitateaccessing the data sources.

Generally, although not necessarily, the data obtained at blocks 302 and304 is raw data that is obtained in the format that the data is storedat the data sources with little to no modification. At block 306, thebusiness logic engine 206, as described above, can reformat or transformthe accessed or collected data for analysis and/or storage. Reformattingthe accessed or collected data can include formatting the data to enablefurther processing by the BIM system 130. Further, reformatting theaccessed or collected data can include formatting the data in a formatspecified by a user (e.g., an administrator). In addition, in certaincases, reformatting the data can include extracting metadata from theaccessed or collected data. In some cases, block 306 can includeabstracting the data to facilitate analysis. For example, assuming thedata under analysis is an email, a number of users may be identified.For instance, an email may include a sender, one or more recipients,which may also include users that are carbon copied, or listed on the CCline, and Blind Carbon Copied, or listed on the BCC line, and, in somecases, non-user recipients, such as lists or email addresses that resultin a copy of the email being placed in an electronic folder for storage.Each of these users can be abstracted as “communication participant.”The data can then be analyzed and/or stored with each user identified,for example, as a “communication participant.”

As another example of abstracting the data, the text content of eachtype of message can be abstracted as “message body.” Thus, an email, aTwitter® post, and a Facebook® post, and a forum post, and a productreview can all be abstracted as “message body.” By abstracting data, theBIM system 130 enables more in-depth searching across multiple datasources. For example, a user can search for all messages associated withcommunication participant X. The result of the search can include anytype of message that is associated with user X including emails sent byuser X, emails received by user X, product review by user X, Twitter®posts by user X, etc. In some embodiments, the databases 232 may storethe abstracted or transformed data and the original data or referencesto the original sources of data. In other embodiments, the databases 232may store the abstracted or transformed data in place of the originaldata.

In some cases, reformatting the data may be optional. For example, incases where the collection engine 202 collects metadata from sourcesthat share a common or substantially similar data storage format, theblock 306 may be unnecessary.

At block 308, the business logic security manager 208 applies a securityor data access policy to the collected data. Applying the securitypolicy can include preventing the collection engine 202 from accessingsome data. For example, applying the security policy can includepreventing the collection engine 202 from accessing encrypted files,files associated with a specific project or user, or files markedprivate. Further, applying the security policy can include marking oridentifying data, based on the security policy, that should not bestored at the databases 232, that should be accessible by a set of usersor roles, or that should be inaccessible by a set of users or roles. Thebusiness logic security manager 208 can filter any data marked forexclusion from storage in the databases 232 at block 310. Further, thebusiness logic security manager 208 and/or the business logic engine 206can filter out any data to be excluded based on a data access policy,which can be based on any type of factor for excluding data. Forexample, data may be filtered based on the age of the data, such asfiles created more than five years ago or emails more than two yearsold.

At block 312, the business logic engine 206 or the business logicsecurity manager 208 may classify the collected and/or filtered data.The data may be classified based on, for example, who can access thedata, the type of data, the source of the data, or any other factor thatcan be used to classify data. In some embodiments, the data may beprovided to the data classification system 134 for classification. Somenon-limiting embodiments of a process for classifying the data aredescribed in further detail below with respect to the process 400, whichis illustrated in FIG. 4.

The business logic engine 206 further formats the data for storage atblock 314. Formatting the data for storage can include creating alow-level abstraction of the data, transforming the data, or extractingmetadata for storage in place of the data. In some cases, block 314 caninclude some or all of the embodiments described above with respect tothe block 306. In some embodiments, data may go through one abstractionor transformation process at the block 306 to optimize the data foranalysis and go through another abstraction or transformation process atthe block 314 to optimize the data for storage and/or query access. Insome embodiments, the metadata may be stored in addition to the data.Further, the metadata, in some cases, may be used for querying thedatabases 232. For example, a user can search the databases 232 forinformation based on one or more metadata fields. In some embodiments,one or more of the blocks 306 and 314 may be optional.

At block 316, the data collection system 132 can cause the data to bestored at, for example, the databases 232. This stored data can includeone or more of the collected data, the metadata, and the abstracteddata. In some embodiments, storing the data can include providing thedata to the data repository engine 222 for indexing. In suchembodiments, the data repository engine 222 can store the indexed dataat the databases 232.

Although the process 300 was presented above in a specific order, it ispossible for the operations of the process 300 to be performed in adifferent order or in parallel. For example, the business logic securitymanager 208 may perform the block 308, at least in part, prior to or inparallel with the blocks 302 and 304. As a second example, the businesslogic engine 206 may perform the block 306 as each item of data isaccessed or after a set of data is accessed at the blocks 302 and 304.

FIG. 4 presents a flowchart of an example of a data classificationprocess 400. The process 400 can be implemented by any system that canclassify data and/or metadata. For example, the process 400, in whole orin part, can be implemented by one or more of the data classificationsystem 134, the data repository engine 222, the task scheduler 224, thea priori classification engine 226, the a posteriori classificationengine 228, and the heuristics engine 230. In some cases, the process400 can be performed generally by the BIM system 130. Although anynumber of systems, in whole or in part, can implement the process 400,to simplify discussion, the process 400 will be described in relation tospecific systems or subsystems of the BIM system 130.

The process 400 begins at block 402 where, for example, the datacollection system 132 accesses data from one or more of the internaldata sources 120 and the external data sources 122. The data collectionsystem 132 may use the collection engine 202 to access the data.Further, the block 402 can include some or all of the embodimentsdescribed above with respect to the blocks 302 and 304. Moreover, someor all of the process 300 described above can be performed as part ofthe process performed at block 402. In some embodiments, the process 400can be performed as part of the block 312 above. In such embodiments,the block 402 may include the data collection system 132 providing thedata, a reformatted version of the data, an abstraction of the data,and/or metadata to the data classification system 134. In someimplementations, the process 400 may be performed separately orindependently of the data collection process. In such embodiments, theblock 402 may include accessing the data from the databases 232. In somecases, the databases 232 may include a database for classified data anda separate database for data that has not yet been classified.

At block 404, the a priori classification engine 226 classifies the databased on a set of user-specified classification rules. As previouslymentioned, a developer of the BIM system 130 or a user (e.g., anadministrator) may specify the classification rules. Further, theclassification rules can include any rules for classifying data based onthe data or metadata associated with the data. For example, data may beclassified based on the author of the data, the owner of the data, thetime the data was created, etc.

At block 406, the a posteriori classification engine 228 classifies thedata using a posteriori analysis. This may include the a posterioriclassification engine 228 using one or more probabilistic algorithms todetermine one or more classifications for the data. The a posterioriclassification engine 228 can use any type of probabilistic algorithmfor classifying the data. For example, the classification may be basedon one or more Bayesian probability algorithms. As another example, thea posteriori classification may be based on clustering of similar ordissimilar pieces of data. One example of such an approach that can beadapted for use herein is the Braun-Blanquet method that is sometimesused in vegetation science. One or both of the a priori classificationand the a posteriori classification may be based on one or morevariables or criteria associated with the data or metadata.

In some embodiments, the a posteriori classification engine 228 may usethe heuristics engine 230 to facilitate calculating the probabilisticclassifications of the data. For example, the a posterioriclassification engine 228 can modify the probabilities used to classifythe data based on a determination of the heuristics engine 230 of theaccuracy of the classification of previously classified data. Theheuristics engine 230 may determine the accuracy of the classificationof previously classified data based on, for example, feedback by theuser. This feedback may include, for example, manual reclassification ofdata, indications by a user of the accuracy of prior classifications,indications of the accuracy or usefulness of query results from queryingthe databases 232 that include the classified data, etc. Further, theheuristics engine 230 may determine the accuracy of the classificationof previously classified data based on, for example, the classificationsof data accessed more recently than the previously classified data. Insome cases, the more recent data may have been accessed before or at thesame time as the previously classified data, but may be classified afterthe previously classified data.

At block 408, the heuristics engine 230 can classify data using aheuristics analysis. As previously described, in some cases, theheuristics engine 230 can classify the data based on the number orpercentage of characteristics or attributes associated with the datathat match a particular classification.

In some embodiments, the task scheduler 224 schedules one or more of theblocks 404, 406, and 408. Further, in some cases, the task scheduler 224may determine whether to perform the process 400 and/or one or more ofthe blocks 404, 406, and 408. In some cases, one or more of the blocks404, 406, and 408 may be optional. For instance, an initialclassification may be associated with data when it is collected via theprocess associated with the block 404. The data may then be furtherclassified or reclassified at collection, or at a later time, using theprocess associated with the block 406, the block 408, or a combinationof the blocks 406 and 408.

At block 410, the data repository engine 222 stores or causes to bestored the data and the data classifications at the databases 232. Insome cases, the data repository engine 222 may store metadata associatedwith the data at the databases 232 instead of, or in addition to,storing the data.

At block 412, the data repository engine 222 can update the a posteriorialgorithms based on the classifications determined for the data. Inaddition, or alternatively, the a posteriori algorithms may be updatedbased on previously classified data. The a posteriori algorithms may beupdated based on customer feedback and/or the determination of theheuristics engine 230 as described above with respect to the block 406.Further, updating the a posteriori algorithms may include modifying theprobabilistic weights applied to one or more variables or pieces ofmetadata used to determine the one or more classifications of the data.Moreover, updating the a posteriori algorithms may include modifying theone or more variables or pieces of metadata used to determine the one ormore classifications of the data. In some cases, the block 412 caninclude modifying the heuristic algorithms used at the block 408. Forexample, the number of characteristics required to classify the datawith a particular classification may be modified. In addition, oralternatively, the weight applied to each of the characteristics may bemodified at the block 412.

As with the process 300, it is possible for the operations of theprocess 400 to be performed in a different order or in parallel. Forexample, the blocks 404 and 406 may be performed in a different order orin parallel.

FIG. 5 presents a flowchart of an example of a data query process 500.The process 500 can be implemented by any system that can process aquery provided by a user or another system and cause the results of thequery to be presented to the user or provided to the other system. Forexample, the process 500, in whole or in part, can be implemented by oneor more of the BIM access system 136, the user interface 240, the querymanager 242, and the query security manager 244. In some cases, theprocess 500 can be performed generally by the BIM system 130. Althoughany number of systems, in whole or in part, can implement the process500, to simplify discussion, the process 500 will be described inrelation to specific systems or subsystems of the BIM system 130.

The process 500 begins at block 502 where, for example, the userinterface 240 receives a set of one or more search parameters from auser via a client (e.g., the client 114). In some embodiments, thesearch parameters may be provided by another computing system. Forexample, in some embodiments, an application running on a server (notshown) or a client (e.g., the client 116) may be configured to query theBIM system 130 in response to an event or at a predetermined time. Theapplication can then use the result of the query to perform anapplication-specific process. For instance, an application or script maybe configured to query the BIM system 130 every month to determine theworkload of each employee or of the employees in a specific departmentof an organization to determine, for example, whether additionalemployees are needed or whether the allocation of human resources withindifferent departments should be redistributed. In this example, theapplication can determine whether to alert a user based on the result ofthe determination.

In some implementations, a user can provide a text-based query to theuser interface 240. This text-based query can be parsed by, for example,the user interface 240 and/or the query manager 242. Alternatively, orin addition, the user interface 240 can provide a set of query optionsand/or fields that a user can use to formulate a query of the BIM system130. The query options or fields can include any type of option or fieldthat can be used to form a query of the BIM system 130. For example, thequery options or fields can include tags, classifications, time ranges,keywords, user identifiers, user roles, customer identifiers, vendoridentifiers, corporate locations, geographic locations, etc. In someembodiments, the query options and/or search fields presented to a usermay be generated based on the data stored in the databases 232. Forexample, if the databases 232 includes email data, a sender field and arecipient field may be available for generating a query. However, if thedatabases 232 lacks any email data, the sender and recipient fields maynot be available for generating a query.

In some cases, the query security manager 244 can limit or determine thefields or options that the user interface 240 can present to the userbased on, for example, the user's permissions or the user's role. Forexample, fields relating to querying the BIM system 130 regarding thecontent of a business's email may be unavailable to a user who is notauthorized to search the contents of collected email. For instance,searching the content of emails may be limited to the legal departmentfor compliance purposes. Other users may be prohibited from searchingthe email content for privacy reasons.

At block 504, the query manager 242 formats a query based on the searchparameters received at block 502. Formatting the query may includetransforming the search parameters and query options provided by theuser into a form that can be processed by the data repository engine222. In certain embodiments, the block 504 may be optional. For example,in some cases the search parameters may be provided by the user in aform of a query that can be processed by the BIM system 130 withoutmodification.

At block 506, the user interface 240 receives one or more usercredentials from the user. In some cases, the user credentials may bereceived from an application. The user credentials can include any typeof credential or identifier that can be used to identify a user and/ordetermine a set of permissions or a level of authorization associatedwith the user. At block 508, the query security manager 244 can validatethe user, or application, based at least in part on the user credentialsreceived at the user interface 240. Validating the user can includeidentifying the user, identifying permissions associated with the user,the user's role, and/or an authorization level associated with the user.In some embodiments, if the query security manager 244 is unable tovalidate the user or determines that the user lacks authorization toaccess the BIM system 130 and/or query the databases 232, the querysecurity manager 244 may reject the user's query. Further, the userinterface 240 may inform the user that the user is not authorized toaccess the BIM system 130 or to query the databases 232. In someimplementations, if the user identifies as a guest or if the querysecurity manager 244 is unable to validate the guest, the user may beassociated with a guest identity and/or a set of guest permissions,which may permit limited access to the BIM system 130 or the data storedat the databases 232. In some cases, a guest may receive full access tothe BIM system 130. However, the actions of the guest may be logged orlogged differently than the actions of an identified user.

At block 510, the query security manager 244 attaches the userpermissions to the query. Alternatively, or in addition, the querysecurity manager may attach the user's identity, role, and/orauthorization level to the query. In some embodiments, one or more ofthe blocks 506, 508, and 510 may be optional.

At block 512, the query manager 242 retrieves data, and/or metadata,satisfying the query. In some implementations, the block 512 may includeproviding the query to the data repository engine 222 for processing.The data repository engine 222 can then query the databases 232 toobtain data that satisfies the query. This data can then be provided tothe query manager 242.

At decision block 514, the query security manager 244 can determinewhether the user has permission, or is authorized, to access the datathat satisfies the query. Determining whether the user has permission toaccess the data may be based on any type of factor that can be used todetermine whether a user can access data. For example, the determinationmay be based, at least in part, on the user's credentials, the user'spermissions, a security level associated with the data, etc. In somecases, the data repository engine 222 may perform the decision block 514as part of the process associated with the block 512.

If the query security manager 244 determines that the user does not havepermission to access the data, the query security manager 244 rejectsthe user query at block 516. In some cases, rejecting the user query mayinclude informing the user that the query is not authorized and/or thatthe user is not authorized to access the data associated with the query.In other cases, rejecting the user query may include doing nothing orpresenting an indication to the user that no data satisfies the user'squery.

If the query security manager 244 determines that the user does havepermission to access the data, the user interface 240 provides the userwith access to the data at block 518. Providing the user with access tothe data can include presenting the data on a webpage, in anapplication-generated window, in a file, in an email, or any othermethod for providing data to a user. In some cases, the data may becopied to a file and the user may be informed that the data is ready foraccess by, for example, providing the user with a copy of the file, alink to the file, or a location associated with the file.

With some queries, a user may be authorized to access some data thatsatisfies the query, but not other data that satisfies the query. Insuch cases, the user may be presented with the data that the user isauthorized to access. Further, the user may be informed that additionaldata exists that was not provided because, for example, the user was notauthorized to access the data. In other cases, the user may not beinformed that additional data exists that was not provided.

In some embodiments, the decision block 514 and block 516 may beoptional. For example, in some cases where the search parametersavailable to a user are based on the user's permissions, decision block514 may be superfluous. However, in other embodiments, both the searchparameters available to the user and the data the user can access areindependently determined based on the user's permissions.

Advantageously, in certain embodiments, the process 500 can be used toidentify new information and/or to determine trends that would be moredifficult or identify or not possible to identify based on a single datasource. For example, the process 500 can be used to identify the mostproductive and least productive employees of an organization based on avariety of metrics. Examining a single data source may not provide thisinformation because employees serve different roles. Further, differentemployees are unproductive in different ways. For example, someemployees may spend time an inordinate amount of time on socialnetworking sites or emailing friends. Other employees may procrastinateby playing games or by talking in the kitchen. Thus, examining onlyemail use or Internet activity may not provide an accurate determinationof which employees are more productive. In addition, some employees canaccomplish more work in less time than other employees. Thus, todetermine which employees are the most productive during working hoursrequires examining a number of data sources. The BIM system 130 makesthis possible by enabling a user to generate a query that relates theamount of time in the office to the amount of time spent procrastinatingat different types of activities to the number of work-related tasksthat are accomplished.

As a second example, the BIM system 130 can be used to identify thesalespersons and the communications techniques that are most effectivefor each customer. For instance, a user can generate a query thatrelates sales, the method of communication, the content ofcommunication, the salespersons contacting each of the customers, andthe customers. Based on the result of this query, a manager may be ableto determine that certain salespersons generate larger sales when usinga particular communication method with a particular customer while othersalespersons may be more effective with a different communication methodwith the particular customer or may be more effective with othercustomers.

An additional example of an application of the BIM system 130 caninclude gauging employee reaction to an executive memorandum or areorganization announcement. Queries can be generated to access allcommunications associated with the memorandum or announcement.Alternatively, or in addition, queries can be generated to identify thegeneral mood of employees post memorandum or announcement. These queriescan examine the tone of emails and other communications (e.g., socialnetworking posts, etc.). Additional examples of applications for usingthe BIM system 130 can include determining whether employees arecommunicating with external sources in a manner that adheres tocorporate policies, communicating with customers in a timely fashion, oraccessing data that is unrelated to their job role.

FIG. 6 illustrates an example of a heuristics engine 602. In a typicalembodiment, the heuristics engine 602 operates as described with respectto the heuristics engine 230 of FIG. 2. In a typical embodiment, theheuristics engine 602 is operable to perform a heuristics analysis foreach of a plurality of different classifications and thereby reach aclassification result for each classification. The classification resultmay be, for example, an indication whether a given classification shouldbe assigned to given data. For purposes of simplicity, the heuristicsengine 602 may be periodically described, by way of example, withrespect to a single classification.

The heuristics engine 602 includes a profiling engine 604 and acomparison engine 606. In a typical embodiment, the profiling engine 604is operable to develop one or more profiles 608 by performing, forexample, a multivariate analysis. For example, in certain embodiments,the one or more profiles 608 may relate to what constitutes a personalmessage. In these embodiments, the profiling engine 604 can perform amultivariate analysis of communications known to be personal messages inorder to develop the one or more profiles 608. In some embodiments, theone or more profiles 608 can also be manually established.

In typical embodiment, the one or more profiles 608 can each include aninclusion list 610 and a filter list 612. The inclusion list 610 caninclude a list of tokens such as, for example, words, that have beendetermined to be associated with the classification to which the profilecorresponds (e.g., personal message, business message, etc.). In atypical embodiment, for each token in the inclusion list 610, theappearance of the token in a communication makes it more likely that thecommunication should be assigned the classification. The filter list 612can include a list of tokens such as, for example, words, that have beendetermined to have little to no bearing on whether a given communicationshould be assigned the classification. In some embodiments, the filterlist 612 may be common across all classifications.

In certain embodiments, the inclusion list 610 may be associated withstatistical data that is maintained by the profiling engine 604. Basedon the statistical data, the one or more profiles 608 can provide means,or expected values, relative to the inclusion list 610. In someembodiments, the expected value may be based on an input such as alength of a given communication (e.g., a number of characters or words).According to this example, the expected value may be an expected numberof “hits” on the inclusion list 610 for a personal message of aparticular length. The particular length may correspond to a length ofthe given communication. By way of further example, the expected valuemay be an expected percentage of words of a personal message that are“hits” on the inclusion list 610. Optionally, the expected percentagemay be based on a length of the given communication in similar fashionto that described above with respect to the expected number of “hits.”

The comparison engine 606 is operable to compare data to the one or moreprofiles 108 based on configurations 614. The configurations 614typically include heuristics for establishing whether data should beclassified into the classification. In particular, the configurations614 can include one or more thresholds that are established relative tothe statistical data maintained by the profiling engine 604. Forexample, each threshold can be established as a number of standarddeviations relative to an expected value.

For example, continuing the personal-message classification exampledescribed above, the configurations 614 may require that an actual valueof a given metric for a new communication not be more than two standarddeviations below the expected value of the given metric. In thisfashion, if the actual value is not more than two standard deviationsbelow the expected value, the new communication may be assigned theclassification. The given metric may be, for example, a number orpercentage of “hits” as described above.

FIG. 7 presents a flowchart of an example of a heuristics process 700for classifying data into a classification. The process 700 can beimplemented by any system that can classify data and/or metadata. Forexample, the process 700, in whole or in part, can be implemented by aheuristics engine such as, for example, the heuristics engine 230 ofFIG. 2 or the heuristics engine 602 of FIG. 6. In some cases, theprocess 700 can be performed generally by the BIM system 130. Althoughany number of systems, in whole or in part, can implement the process700, to simplify discussion, the process 700 will be described inrelation to the heuristics engine. The process 700 begins at step 702.

At step 702, the heuristics engine receives new data. The new data maybe considered to be representative of any data, inclusive of metadata,for which classification is desired. The new data may be, for example, anew communication. From step 702, the process 700 proceeds to step 704.At step 704, the heuristics engine identifies one or more comparisonattributes in the new data. For example, the one or more comparisonattributes may be actual values for given metrics such as, for example,a number or percentage of “hits” on an inclusion list such as theinclusion list 610 of FIG. 6. From step 704, the process 700 proceeds tostep 706.

At step 706, the heuristics engine compares the one or more comparisonattributes with one or more thresholds. The one or more thresholds maybe defined as part of configurations such as, for example, theconfigurations 614 of FIG. 6. From step 706, the process 700 proceeds tostep 708. At step 708, the heuristics engine determines whetherclassification criteria has been satisfied. In a typical embodiment, theclassification criteria is representative of criteria for determiningwhether the new data should be assigned the classification. Theclassification criteria may specify, for example, that all or aparticular combination of the one or more thresholds be satisfied.

If it is determined at step 708 that the classification criteria notbeen satisfied, the process 700 proceeds to step 712 where the process700 ends without the new data being assigned the classification. If itis determined at step 708 that the classification criteria has beensatisfied, the process 700 proceeds to step 710. At step 710, theheuristics engine assigns the classification to the new data. From step710, the process 700 proceeds to step 712. At step 712, the process 700ends.

In certain embodiments, data queries as described with respect to FIGS.1-5 may also be accomplished using query packages. A query packagegenerally encapsulates package attributes such as, for example, searchparameters as described above with respect to queries, as long withother package attributes that enable enhanced functionality. Forexample, a query package can further encapsulate a package attributethat specifies a type of data visualization that is to be created usingthe queried data. The type of data visualization can include, forexample, scatterplots, pie charts, tables, bar charts, geospatialrepresentations, heat maps, chord charts, interactive graphs, bubblecharts, candlestick charts, stoplight charts, spring graphs, and/orother types of charts, graphs, or manners of displaying data.

In some embodiments, query packages may run one specific query. Invarious other embodiments, query packages may run multiple queries.Table 1 below lists example package attributes that can be included in agiven query package.

TABLE 1 PACKAGE ATTRIBUTE(S) DESCRIPTION Package Name A name by whichthe query package can be referenced. Package A description of the querypackage's operation. Description Security Scope Optionally specify asecurity and data access policy as described with respect to FIG. 2.Visualization Specifies a type of data visualization such as, forexample, scatterplots, pie charts, tables, bar charts, geospatialrepresentations, heat maps, chord charts, interactive graphs, bubblecharts, candlestick charts, stoplight charts, spring graphs, and/orother types of charts, graphs, or manners of displaying data. In caseswhere the package is representative of multiple queries, thevisualization attribute may be represented as an array of visualizationsthat can each have a visualization type, a data source, and a targetentity (e.g., entity that is being counted such as, for example,messages, message participants, etc.) Default Group-By Retrieves dataaccording to, for example, one or Field more data columns (e.g., bylocation, department, etc.). Aggregation Period A time period such as,for example, daily, hourly, etc. Data-Smoothing Specifies one or morealgorithms that attempt to Attributes capture important patterns in thedata, while leaving out noise or other fine-scale structures/rapidphenomena. Visualization- Certain types of visualizations may requireSpecific additional attributes such as, for example, Attributesspecification of settings for sorting, number of elements in a dataseries, etc. Facet Names Data (or fields) related to the query that canbe used to categorize data. Particular values of facets can be used, forexample, to constrain query results. Array of Entities An array ofentities that can each have, for example, a name, entity type (e.g.,message), filter expression, and a parent-entity property. Array ofFacets An array of facets that can each have, for example, a name,group-by field, and a minimum/maximum number of results to show.

In a typical embodiment, query packages can be shared among users ordistributed to users, for example, by an administrator. In a typicalembodiment, one user may share a particular query package with anotheruser or group of users via the user interface 240. In similar fashionthe other user or group of users can accept the query package via theuser interface 240. Therefore, the query manager 242 can add the sharedquery package for the user or group of users. As described above, thequery manager 242 generally maintains each user's query packages in atable by a unique identifier. In a typical embodiment, query packagesfurther facilitate sharing by specifying data and data sources in arelative fashion that is, for example, relative to a user running thequery. For example, package attributes can refer to data owned by a userrunning the query or to data that is owned by users under thesupervision of the user running the query rather than to specific dataor users.

FIG. 8 presents a flowchart of an example of a data query process 800that uses query packages. The process 800 can be implemented by anysystem that can process a query package provided by a user or anothersystem and cause the results of a query encapsulated therein to bepresented to the user or provided to the other system. For example, theprocess 800, in whole or in part, can be implemented by one or more ofthe BIM access system 136, the user interface 240, the query manager242, and the query security manager 244. In some cases, the process 800can be performed generally by the BIM system 130. Although any number ofsystems, in whole or in part, can implement the process 800, to simplifydiscussion, the process 800 will be described in relation to specificsystems or subsystems of the BIM system 130.

The process 800 begins at block 802 where, for example, the userinterface 240 from a user a selection of a query package. In variousembodiments, the query package may be selected from a list or graphicalrepresentation of query packages. As described above, the query packagetypically specifies a data visualization based on a data query. Invarious embodiments, the query package may specify more than one datavisualization and/or be based on more than one data query. At block 804,the query manager 242 formats one or more queries based on the querypackage selected at block 802. In certain embodiments, the block 804 maybe optional. For example, in some cases the query package may alreadyinclude a query that can be processed by the BIM system 130 withoutmodification.

At block 806, the user interface 240 receives one or more usercredentials from the user. In some cases, the user credentials may bereceived from an application. The user credentials can include any typeof credential or identifier that can be used to identify a user and/ordetermine a set of permissions or a level of authorization associatedwith the user. At block 808, the query security manager 244 can validatethe user, or application, based at least in part on the user credentialsreceived at the user interface 240. Validating the user can includeidentifying the user, identifying permissions associated with the user,the user's role, and/or an authorization level associated with the user.In some embodiments, if the query security manager 244 is unable tovalidate the user or determines that the user lacks authorization toaccess the BIM system 130 and/or query the databases 232, the querysecurity manager 244 may reject the one or more queries. Further, theuser interface 240 may inform the user that the user is not authorizedto access the BIM system 130 or to query the databases 232. In someimplementations, if the user identifies as a guest or if the querysecurity manager 244 is unable to validate the guest, the user may beassociated with a guest identity and/or a set of guest permissions,which may permit limited access to the BIM system 130 or the data storedat the databases 232. In some cases, a guest may receive full access tothe BIM system 130. However, the actions of the guest may be logged orlogged differently than the actions of an identified user.

At block 810, the query security manager 244 attaches the userpermissions to the one or more queries. Alternatively, or in addition,the query security manager may attach the user's identity, role, and/orauthorization level to the one or more queries. In some embodiments, oneor more of the blocks 806, 808, and 810 may be optional.

At block 812, the query manager 242 retrieves data, and/or metadata,satisfying the one or more queries. In some implementations, the block812 may include providing the one or more queries to the data repositoryengine 222 for processing. The data repository engine 222 can then querythe databases 232 to obtain data that satisfies the one or more queries.This data can then be provided to the query manager 242.

At decision block 814, the query security manager 244 can determinewhether the user has permission, or is authorized, to access the datathat satisfies the one or more queries. Determining whether the user haspermission to access the data may be based on any type of factor thatcan be used to determine whether a user can access data. For example,the determination may be based, at least in part, on the user'scredentials, the user's permissions, a security level associated withthe data, etc. In some cases, the data repository engine 222 may performthe decision block 814 as part of the process associated with the block812.

If the query security manager 244 determines that the user does not havepermission to access the data, the query security manager 244 rejectsthe one or more queries at block 816. In some cases, rejecting the oneor more queries may include informing the user that the query packagenot authorized and/or that the user is not authorized to access the dataassociated with the query package. In other cases, rejecting the one ormore queries may include doing nothing or presenting an indication tothe user that no data satisfies the query package.

If the query security manager 244 determines that the user does havepermission to access the data, the query manager 242 (or a separatevisualization component) generates the data visualization at block 818.At block 820, the user interface 240 provides the data visualization tothe user. Providing the user the data visualization can includepresenting the data visualization on a webpage, in anapplication-generated window, in a file, in an email, or any othermethod for providing data to a user. In some cases, the datavisualization may be copied to a file and the user may be informed thatthe data visualization is ready for access by, for example, providingthe user with a copy of the file, a link to the file, or a locationassociated with the file.

FIG. 9 illustrates an example of a user interface that can be used by auser to select a query package.

FIG. 10 illustrates an example of a user interface that can be used by auser to create or modify a query package.

Table 2 below provides an example of a data model that can be utilizedby a BIM system such as, for example, the BIM system 130. In particular,Table 2 illustrates several entities that can be used to modelcommunications such as, for example, personal communications or businesscommunications.

TABLE 2 ENTITY FIELD DATA TYPE Message Body String ClassificationsStrings Content String Date Date Time External Recipients Entities(Message Participant) File Attachments Entities (File) In reply toEntity (Message) Internal Recipients Entities (Message Participant) IsEncrypted Boolean Message Attachments Entities (Messages) Message IDsStrings Original Message ID String Participants Entities (MessageParticipant) Platform Enum (Message Platform type) Recipients Entities(Message Participant) Send Date Date Time Send Time of Day Time SenderEntity (Message Participant) Size Integer Subject String Thread Entity(Message Thread) Type Enum (Message Address Type) Message Date Date TimeParticipant Deletion Date Date Time Delivery Time Time Span Has BeenDelivered Boolean ID String Is Addressed in BCC Boolean Is Addressed inCC Boolean Is Addressed in TO Boolean Is External Recipient Boolean IsInternal Recipient Boolean Is Recipient Boolean Is Sender BooleanMessgeAsSender Entity (Message) MessageAsInternalRecipient Entity(Message) MessageAsExternalRecipient Entity (Message) Message AddressEntity (Message Address) Person Entity (Person Snapshot) Receipt DateDate Time Receipt Time of Day Time Responses Entity (Message) ResponseTime Time Span Message Domain Entity (ONS Domain) Address Is ExternalBoolean Is Internal Boolean Name String Platform Enum (Message PlatformType) Type Enum (Message Address Type DNS Name String Domain AddressEntities (Messaging Address) Person All Reports Entities (PersonSnapshot) Snapshot Company String Department String Direct ReportsEntities (Person Snapshot) First Name String Full Name String HistoryEntity (Person History) ID String Initials String Job Title String LastName String Manager Entity (Person Snapshot) Managers Entities (PersonSnapshot) Messaging Addresses Entities (Message Address) MessageParticipants Office String OU String Snapshot Date Date Time StreetAddress Complex Type (Street Address) Telephone Numbers Strings StreetCity String Address Country or Region String PO Box String State orProvince String Street String Zip or Postal Code String Person CurrentEntity (Person) History Historic Entities (Person) ID String MessagesEntities (Message) Timestamp Date Time Message ID String Thread MessagesEntities (Message) Participants Entities (Message Participant Threadsubject String Timestamp Date Time File Filename String ID StringMessages Entities (Message) Modified Date Date Time Size Integer HashStringIII. Example Operation of a Content-Exposure Analysis System

FIG. 11 illustrates an embodiment of a system 1100 for analyzing contentexposure. The system 1100 includes the content-exposure analysis system127, the BIM system 130, central content sources 1176, a client 1114,and user content sources 1155. As described in greater detail below, thecontent-exposure analysis system 127 can interact with the client 1114to anticipate and monitor exposure events initiated on the client 1114.

The client 1114 can operate as described, for example, with respect tothe client 114, the client 116, and/or the client 116 of FIG. 1. In someembodiments, the client 1114 can be representative of a virtual desktopprovisioned by a component of the computing environment 102 or by acomponent of another environment or system. Although the client 1114 isshown singly for simplicity of illustration and description, it shouldbe appreciated that, in various embodiments, the content-exposureanalysis system 127 can interact with a plurality of clients similar tothe client 1114.

In general, the central content sources 1176 can include, for example,systems that allow publishing, editing, modifying, transmitting and/ormaintaining of content. As illustrated, the central content sources 1176can store or maintain central content 1111 as part of their operation.The central content 1111 can include, for example, documents,presentations, media (e.g., audio, video, images, etc.), communications,text strings, combinations of same and/or the like. The central contentsources 1176, in general, are representative of at least a portion ofthe internal data sources 120 and the external data sources 122 asillustrated in FIG. 1. For ease of illustration and description, thoseof the internal data sources 120 and the external data sources 122 thatcan serve as a content source are shown collectively as the centralcontent sources 1176.

In the illustrated embodiment, the content-exposure analysis system 127includes a central indexing engine 1129, an exposure projection module1131, an exposure tracking module 1133, a content-reuse detection engine1135, a data access system 1137, and an event-density analysis module1151. As shown, the client 1114 can include a user-environment indexingengine 1145, a data request module 1147, and a presentation module 1149.

The central indexing engine 1129 can be a hardware and/or softwaremodule operable to generate and index fingerprints of some or allcontent items in the central content 1111. In some embodiments, thecentral indexing engine 1129 can access the central content 1111directly via the central content sources 1176. In addition, oralternatively, the central indexing engine 1129 can access the centralcontent 1111 through the BIM system 130. For example, in some cases, thecentral indexing engine 1129 can access the central content 1111 via theaccess manager 204. By way of further example, in other cases, thecentral indexing engine 1129 can access the central content 1111 as datathat is collected, for example, by the data collection system 132.

In certain embodiments, the central indexing engine 1129 can extractsubstrings, or n-grams, from some or all content items of the centralcontent 1111. In some cases, the substrings can be extracted at one ormore configurable levels of granularity such as, for example, words,phrases, sentences, etc. Thereafter, the central indexing engine 1129can generate a fingerprint of each substring using, for example, Rabin'sfingerprinting algorithm, a cryptographic hash function (e.g., MD5, SHA,etc.), combinations of same and/or the like. In some embodiments, thecentral indexing engine 1129 can use built-in fingerprintingfunctionality of one or more of the central content sources 1176. Thefingerprint of a given content item can be considered, for example, acombination of its substring fingerprints.

In certain embodiments, for each content item that is fingerprinted,corresponding substring fingerprints can be stored in a centralfingerprint repository 1139. In addition, content metadata can beextracted from the content items and stored with the substringfingerprints. The content metadata can include, for example, a title,timing information, an author of the content item, an organizationassociated with the content item, etc. The timing information canindicate a date and time of a last edit of a given content item, a dateand time of creation of a given content item, a date and time oftransmission of a given content item, combinations of same and/or thelike. Example operation of the central indexing engine 1129 will bedescribed with respect to FIG. 12.

The exposure projection module 1131 can be a hardware and/or softwaremodule operable to process user-initiated precursors of exposure events.An exposure event can be, for example, an event whose occurrence wouldresult in content being exposed to one or more additional users. Auser-initiated precursor of an exposure event can be, for example, auser action that frequently precedes an exposure event. In many cases,the user action may be a prerequisite to the occurrence of a givenexposure event. In an example, for an exposure event of emailingparticular content to one or more recipients, a precursor of theexposure event could be entry by a user of one or more recipients intoan appropriate field (e.g., a TO field, a CC field, a BCC field, etc.).In certain embodiments, the exposure projection module 1131 can be usedto project a scope of exposure (e.g., one or more users) for ananticipated exposure event.

In some cases, the exposure projection module 1131 can detectuser-initiated precursors of exposure events, for example, by monitoringcommunications platforms that may be included among the central contentsources 1176. In still other cases, the exposure projection module 1131can receive notifications of user-initiated precursors of exposureevents that are detected, for example, on the client 1114. In thesecases, the exposure projection module 1131 can further receiveinformation related to the user-initiated precursor such as, forexample, a communication which would constitute the exposure event.Example operation of the exposure projection module 1131 will bedescribed in greater detail with respect to FIG. 14.

The exposure tracking module 1133 can be a hardware and/or softwaremodule operable to detect the occurrence of exposure events. In certainembodiments, once a given exposure event occurs relative to particularcontent, the exposure tracking module 1133 can further track, acrosscommunications platforms, follow-on exposure events which chain from theexposure event. In general, follow-on exposure events can be additionalexposure events that directly result from an original exposure event.Consider an example of user A emailing particular content to user B.According to this example, follow-on exposure events could include userB forwarding the particular content to users C, D and E, user Eforwarding the particular content to user group F, etc. Informationrelated to exposure events that are detected can be stored in anexposures repository 1141. Example operation of the exposure trackingmodule 1133 will be described in greater detail with respect to FIG. 15.

The content-reuse detection engine 1135 can be a hardware and/orsoftware module operable to compare one or more content fingerprintswith content fingerprints of the central fingerprint repository 1139.Based thereon, the content-reuse detection engine 1135 can identifyreuses of particular content by users. In certain embodiments, thecontent-reuse detection engine 1135 can generate various analyticsrelated to uses/re-uses of particular content such as, for example,which user is associated with an earliest use of the particular content.In certain embodiments, data generated by the content-reuse detectionengine 1135 can be stored in an analytics repository 1143. Exampleoperation of the content-reuse detection engine 1135 will be describedin greater detail with respect to FIG. 16.

The event-density analysis module 1151 can be a hardware and/or softwaremodule operable to analyze a density, or concentration, of exposureevents for a variable of interest such as, for example, time. Exampleoperation of the event-density analysis module 1151 will be described ingreater detail with respect to FIG. 17. The data access system 1137 canbe a hardware and/or software module operable to interact with theclient 1114 to provide information generated or stored by thecontent-exposure analysis system 127. Example operation of the dataaccess system 1137 will be described in greater detail with respect toFIG. 18. In some embodiments, the event-density analysis module 1151 canbe on the client 1114 rather than on the content-exposure analysissystem 127 as illustrated.

Referring now more specifically to the client 1114, the user contentsources 1155 can include, for example, user-accessible resources thatallow storing, publishing, editing, modifying, transmitting and/ormaintaining of content. The user content sources 1155 can includestorage or memory accessible in a user environment on the client 1114such as, for example, local drives, network drives, cloud drives, etc.As illustrated, the user content sources 1155 can store or maintain usercontent 1157 as part of their operation.

In certain embodiments, the user-environment indexing engine 1145 can bea hardware and/or software module operable to generate and indexfingerprints of some or all content items in the user content 1157 usinga methodology similar to that which is described above relative to thecentral indexing engine 1129. In certain embodiments, for each contentitem that is fingerprinted, corresponding substring fingerprints can bestored in a user fingerprint repository 1153. In similar fashion to thatwhich is described above relative to the central indexing engine 1129,content metadata can be extracted from the content items and stored withthe sub string fingerprints in the user fingerprint repository 1153.

In addition, or alternatively, the user-environment indexing engine 1145can transmit fingerprints and/or content metadata generated therein tothe central indexing engine 1129 for integration and storage in thecentral fingerprint repository 1139. Advantageously, in certainembodiments, the content-exposure analysis system 127 can therebyanalyze and/or generate exposure information related to the user content1157 in a similar fashion to that which is described relative to thecentral content 1111. Example operation of the user-environment indexingengine 1145 will be described with respect to FIG. 13.

In certain embodiments, the data request module 1147 can be a hardwareand/or software module operable to request exposure information relatedto particular content from the content-exposure analysis system 127. Thedata request module 1147 can transmit the requests, for example, to thedata access system 1137. Each request can include or identifyfingerprints of one or more content items to which the request pertains.In general, the data request module 1147 can request any type ofinformation maintained in the central fingerprint repository 1139, theexposures repository 1141, and/or the analytics repository 1143.

In certain embodiments, the presentation module 1149 can be a moduleoperable to integrate with software of a user environment on the client1114. For example, the presentation module 1149 can integrate with agraphical user interface (GUI) provided by an operating system, othersoftware such as communications software (e.g., an email client),combinations of same, and/or the like. In certain embodiments, thepresentation module 1149 can be accessible via menus or other displayitems of a GUI with which it is integrated. In some instances, thepresentation module 1149 may also be referred to as a plug-in orextension of a given software application.

In various cases, the presentation module 1149 can receive and serviceuser requests for exposure information for particular content. In anexample, the presentation module 1149 can be integrated with a GUI(e.g., an operating system GUI) that provides a view of a file systemmaintained thereby. According to this example, the presentation module1149 may be operable to monitor for user selections of particularcontent, for example, for purposes of obtaining exposure informationrelated thereto. In various cases, the user selections or requests canbe made, for example, via graphical selection, context menus, hover-overactions, etc. In another example, the presentation module 1149 can beintegrated with a GUI of an email client. According to this example, thepresentation module 1149 may request and provide information related tocontent items to be transmitted over email.

The presentation module 1149 can forward requests for exposureinformation to the data request module 1147 for handling as describedabove. The requested exposure information can be received and, in somecases, transformed by the presentation module 1149 for presentation to arequesting user. The presentation module 1149 can provide a GUI overlay,on top of the GUI or software application with which it is integrated,that displays received and/or transformed information. For example, auser (e.g., an administrator, super user, chief security officer,regular user, or other user) could request information related to anumber or frequency of exposure events for a selected content item(e.g., a document authored by the user) over a period of time. Accordingto this example, the presentation module 1149 could generate and displayscatterplots, pie charts, tables, bar charts, geospatialrepresentations, heat map, chord charts, interactive graphs, bubblecharts, candlestick charts, stoplight charts, spring graphs, and/orother types of charts, graphs, or manners of displaying data.

In some embodiments, the presentation module 1149 can detectuser-initiated precursors of exposure events. The presentation module1149 can monitor one or more GUIs with which it is integrated for one ormore user actions that are deemed to be user-initiated precursors. Forexample, in an embodiment, the presentation module 1149 could beintegrated with a communications client (e.g., an email or othermessaging client) and detect that the user has entered one or morerecipients into an appropriate field (e.g., a TO field, a CC field, aBCC field, etc.). In another example, the presentation module 1149 couldbe integrated with a web browser or other software application anddetect that the user has uploaded a particular content item for sharingon a content-management platform.

It should be appreciated that, in various embodiments, the presentationmodule 1149 can be integrated with multiple software applications and/orGUIs. In addition, in many cases, the client 1114 can include multiplepresentation modules similar to the presentation module 1149. Exampleoperation of the presentation module 1149 will be described in greaterdetail with respect to FIGS. 18-19.

FIG. 12 presents a flowchart of an example of a process 1200 forindexing fingerprints of centrally-accessible content items such as thecentral content 1111 of FIG. 11. In certain embodiments, the process1200 can be triggered on-demand, at scheduled intervals, when newcontent or content sources are added to the system 1100, combinations ofsame and/or the like. The process 1200 can be implemented by any systemthat can process data. For example, the process 1200, in whole or inpart, can be implemented by one or more of the central indexing engine1129, the exposure projection module 1131, the exposure tracking module1133, the content-reuse detection engine 1135, the data access system1137, the event-density analysis module 1151, the user-environmentindexing engine 1145, the data request module 1147, and/or thepresentation module 1149. In some cases, the process 1200 can beperformed generally by the content-exposure analysis system 127 and/orthe client 1114. Although any number of systems, in whole or in part,can implement the process 1200, to simplify discussion, the process 1200will be described in relation to the system 1100 of FIG. 11.

At block 1202, the central indexing engine 1129 discovers the centralcontent 1111. In a typical embodiment, the central content 1111 isdiscovered across numerous heterogeneous platforms which, as describedabove, can be included among the central content sources 1176. Forexample, the central content sources 1176 can include business orinternal email systems, non-business or external email systems, socialnetworking accounts, inventory databases, file directories, enterprisesystems, CRM systems, collaboration systems, etc.

In certain embodiments, the central indexing engine 1129 can discoverthe central content 1111 via the BIM system 130. In an example, thecentral indexing engine 1129 can discover the central content 1111 byidentifying and accessing data collected by the data collection system132 of the BIM system 130. In another example, the central indexingengine 1129 can discover the central content 1111 by identifying andaccessing data that is available to the access manager 204 of the BIMsystem 130, etc. In certain embodiments, the central indexing engine1129 can directly access the central content sources 1176 for purposesof discovering the central content 1111.

At block 1204, the central indexing engine 1129 generates one or morecontent fingerprints for each item of content in the central content1111 or a subset thereof. In general, the content fingerprints can begenerated as described with respect to FIG. 11. At block 1206, thecentral indexing engine 1129 stores the generated content fingerprintsin the central fingerprint repository 1139. In many cases, contentmetadata can be stored with the generated content fingerprints. Thecontent metadata can include, for example, a title, timing information,an author of the content item, an organization associated with thecontent item, etc. as described above in relation to FIG. 11.

FIG. 13 presents a flowchart of an example of a process 1300 forindexing fingerprints of content in a user environment such as the usercontent 1157. In certain embodiments, the process 1300 can be triggeredon-demand, at scheduled intervals, when new content and/or contentsources are added to the user content sources 1155, combinations of sameand/or the like. The process 1300 can be implemented by any system thatcan process data. For example, the process 1300, in whole or in part,can be implemented by one or more of the central indexing engine 1129,the exposure projection module 1131, the exposure tracking module 1133,the content-reuse detection engine 1135, the data access system 1137,the event-density analysis module 1151, the user-environment indexingengine 1145, the data request module 1147, and/or the presentationmodule 1149. In some cases, the process 1300 can be performed generallyby the content-exposure analysis system 127 and/or the client 1114.Although any number of systems, in whole or in part, can implement theprocess 1300, to simplify discussion, the process 1300 will be describedin relation to the system 1100 of FIG. 11.

At block 1302, the user-environment indexing engine 1145 discovers theuser content 1157. For example, in some embodiments, local drives,network drives, and/or cloud drives accessible to the client 1114 can beidentified and accessed. According to this example, the block 1302 caninclude discovering content items on the local drives, network drives,cloud drives, etc. At block 1304, the user-environment indexing engine1145 generates or more content fingerprints (e.g., substringfingerprints) for each content item in the user content 1157 or a subsetthereof. In general, the content fingerprints can be generated asdescribed with respect to FIG. 11 in relation to the central indexingengine 1129.

At block 1306, the user-environment indexing engine 1145 stores thecontent fingerprints generated at the block 1304 in the user fingerprintrepository 1153. In many cases, content metadata can be extracted fromthe content items and stored with the fingerprints in the userfingerprint repository 1153 as described above in relation to FIG. 11.At block 1308, the user-environment indexing engine 1145 providesinformation related to the generated content fingerprints to the centralindexing engine 1129 of the content-exposure analysis system 127. Theprovided information can include, for example, the generatedfingerprints, content metadata, and/or other data.

At block 1310, the central indexing engine 1129 receives theinformation. At block 1312, the central indexing engine 1129 stores theinformation in the central fingerprint repository 1139. In certainembodiments, the information can be stored in relation to the client1114 and/or a user of the client 1114. In this fashion, in certainembodiments, clients such as the client 1114 can serve as additionalcontent-fingerprint sources for the content-exposure analysis system127.

FIG. 14 presents a flowchart of an example of a process 1400 forprojecting a potential exposure of a content-exposure event. The process1400 can be implemented by any system that can process data. Forexample, the process 1400, in whole or in part, can be implemented byone or more of the central indexing engine 1129, the exposure projectionmodule 1131, the exposure tracking module 1133, the content-reusedetection engine 1135, the data access system 1137, the event-densityanalysis module 1151, the user-environment indexing engine 1145, thedata request module 1147, and/or the presentation module 1149. In somecases, the process 1400 can be performed generally by thecontent-exposure analysis system 127 and/or the client 1114. Althoughany number of systems, in whole or in part, can implement the process1400, to simplify discussion, the process 1400 will be described inrelation to the system 1100 of FIG. 11.

At block 1402, the exposure projection module 1131 monitors for auser-initiated precursor of an exposure event. In various embodiments, auser-initiated precursor of an exposure event can be an anticipatedexposure event in relation to any content indexed in the centralfingerprint repository 1139 and/or the user fingerprint repository 1153.In some cases, the block 1402 can include the exposure projection module1131 monitoring for notifications from the presentation module 1149 thata user-initiated precursor has been detected by the presentation module1149 (e.g., via entry of addresses or recipients in a TO, CC, or BCCfield). In these cases, the notification can include, for example,information related to the user-initiated precursor such as data relatedto what content the user was attempting to expose, how the user wasattempting to expose the content, and to whom the user was attempting toexpose the content. For instance, the notification could include all orpart of a communication such as an email. In other cases, the exposureprojection module 1131 can monitor the central content sources 1176(e.g., various ones of the internal data sources 120 or the externaldata sources 122 of FIG. 1) for transmissions, selections, or uploads ofcontent.

In a particular example of the exposure projection module 1131 detectingthe user-initiated precursor, the exposure projection module 1131 couldmonitor and detect draft communications that appear on a givencommunications platform (e.g., one of the internal data sources 120 orexternal data sources 122 of FIG. 1). Draft communications can, in somecases, appear in a drafts folder of a user. According to this example,the appearance of a draft communication in a drafts folder of the usercan itself be a user-initiated precursor of an exposure event and/or away to evaluate for the existence of a user-initiated precursor of anexposure event. In another example, the exposure projection module 1131could be integrated in a web or cloud-based communications client thatdirectly detects, for example, when the user enters recipients into a TOfield, CC field, BCC field, etc.

At decision block 1404, the exposure projection module 1131 determineswhether a user-initiated precursor of an exposure event has beenidentified. If not, the process 1400 returns to block 1402 and proceedsas described above. Otherwise, if it is determined at decision block1404 that a user-initiated precursor of an exposure event has beenidentified, the process 1400 proceeds to block 1406.

At block 1406, the exposure projection module 1131 automaticallydetermines particular content that would be exposed if the exposureevent were to occur. The particular content can be, for example, a filethat is uploaded (or selected to be uploaded) to a collaborationplatform, a file that is attached to communication such as an email orother message, inline text of an email or other message, combinations ofsame and/or the like.

At block 1408, the exposure projection module 1131 automaticallydetermines users to which the particular content would be exposed if theanticipated exposure event were to occur. In a typical embodiment, theexposure projection module 1131 can identify user indications of whowill be given access to the particular content and then aggregate thoseusers covered by the user indications. For example, if the anticipatedexposure event is a communication containing or attaching the particularcontent, the exposure projection module 1131 can identify users orgroups of users who are addressees of the communication or who aremembers of an indicated distribution list and aggregate those usergroups or distribution list. By way of further example, if theanticipated exposure event is uploading, or publishing, the particularcontent to a site or page on a collaboration platform, the exposureprojection module 1131 can identify and aggregate users or groups ofusers who are given access to the site or page as indicated, forexample, by an access control list.

In some embodiments, the block 1408 can include quantitativelyevaluating an anticipated breadth of the anticipated exposure eventbased, at least in part, on an aggregation of users as described above.For instance, the exposure projection module 1131 can generate anassessment of the anticipated exposure event such as, for example, atotal number of users to whom the particular content would be exposed ifthe exposure event were to occur. In an example, the exposure projectmodule 1131 could classify the anticipated exposure event into one ormore categories such as, for example, mild, moderate, great, extreme,etc. The classification could be based on, for example, a number ofusers to whom the particular content would be exposed (e.g., “mild” ifthe number is less than three, “moderate” if the number is greater thanor equal to three but less than ten, “great” if the number is greaterthan or equal to ten, “extreme” if the particular content is going to bemade accessible to the public, etc.).

At block 1410, the exposure projection module 1131 publishes resultantinformation to a user. The resultant information can be, for example,any information received or generated at the block 1408. The user canbe, for example, a user of the client 1114 of FIG. 11. In someembodiments, the publication at the block 1410 can include making theresultant information available for transmission to the client 1114. Inaddition, or alternatively, the publication at the block 1410 caninclude providing the resultant information to the presentation module1149 for immediate presentation to the user. In these cases, theresultant information can be provided, for example, as a UI overlay onthe GUI with which the presentation module 1149 is integrated.

At block 1412, a report containing information related to the resultantinformation can be sent to one or more designated users such as, forexample, a manager of the user, a user associated with the particularcontent in the central fingerprint repository 1139 (e.g., a userassociated with a first use of an identical or sufficiently similarcontent fingerprint), combinations of same, and/or the like. In someembodiments, the block 1412 can be omitted such that user-initiatedprecursors of content-exposure events are not reported. From block 1412,the process 1400 returns to block 1402 and proceeds as described above.In general, the process 1400 can continue until terminated by anadministrator or other user or other stop criteria is satisfied.

FIG. 15 presents a flowchart of an example of a process 1500 fordetecting and handling exposure events. The process 1500 can beimplemented by any system that can process data. For example, theprocess 1500, in whole or in part, can be implemented by one or more ofthe central indexing engine 1129, the exposure projection module 1131,the exposure tracking module 1133, the content-reuse detection engine1135, the data access system 1137, the event-density analysis module1151, the user-environment indexing engine 1145, the data request module1147, and/or the presentation module 1149. In some cases, the process1500 can be performed generally by the content-exposure analysis system127 and/or the client 1114. Although any number of systems, in whole orin part, can implement the process 1500, to simplify discussion, theprocess 1500 will be described in relation to the system 1100 of FIG.11.

At block 1502, the exposure tracking module 1133 monitors for anexposure event of particular content. For example, the exposure trackingmodule 1133 can monitor communications platforms (e.g., various ones ofthe internal data sources 120 or the external data sources 122 ofFIG. 1) for transmissions of the particular content. At decision block1504, the exposure tracking module 1133 determines whether an exposureevent has been detected. If not, the process 1500 returns to block 1502and proceeds as described above. Otherwise, if it is determined atdecision block 1504 that an exposure event has been detected, theprocess 1500 proceeds to block 1506.

At block 1506, the exposure tracking module 1133 stores informationrelated to the exposure event in the exposures repository 1141. Thestored information can include, for example, an identifier for theexposure event, a date and time at which the exposure event occurred, anidentifier for the particular content that was exposed, a scope ofexposure, combinations of same and/or the like. The scope of exposurecan be, for example, users to whom the particular content was exposed.In some cases, the scope of exposure can be automatically determined inthe fashion described with respect to block 1408 of FIG. 14, with theprimary difference being that the exposure event is actual rather thanmerely anticipated. In addition, the scope of exposure can berepresented using any of the metrics or values described with respect tothe block 1408 of FIG. 14.

At block 1508, the exposure tracking module 1133 monitors for follow-onexposure events which chain from the exposure event. For example, afollow-on exposure event could occur when a user to whom the particularcontent is exposed as a result of exposure event further exposes thecontent to one or more other users (e.g., using a communicationsplatform). There can be multiple successive levels of follow-on exposureevents. In some embodiments, the exposure tracking module 1133 can use atree abstract data type, in which the original exposure event is a root,to track exposure events related to the particular content.

At decision block 1510, the exposure tracking module 1133 determineswhether a follow-on event has been detected. If not, the process 1500returns to block 1508 and proceeds as described above. Otherwise, if itis determined at the decision block 1510 that a follow-on event has beendetected, the process 1500 proceeds to block 1512.

At block 1512, the exposure tracking module 1133 determines an expandeduser exposure resulting from the follow-on exposure event. The expandeduser exposure can be, for example, additional users to whom theparticular content was exposed as a result of the follow-on exposureevent. In some cases, the expanded user exposure can be automaticallydetermined in the fashion described with respect to block 1408 of FIG.14, with the primary difference being that the follow-on exposure eventis an actual exposure rather than merely an anticipated exposure. Inaddition, the expanded user exposure can be represented using any of themetrics or values described with respect to the block 1408 of FIG. 14.

At block 1514, the exposure tracking module 1133 stores informationrelated to the follow-on exposure event in the exposures repository1141. The stored information can include, for example, an identifier forthe follow-on exposure event, a date and time at which the follow-onexposure event occurred, an identifier for the particular content thatwas exposed, the expanded user exposure (or related values or metrics),a relationship to a parent exposure event (e.g., an identifier for anexposure event from which the follow-exposure event chains),combinations of same and/or the like.

At block 1516, a report containing information related to the follow-onexposure event can be sent to one or more designated users such as, forexample, a manager of the user, a user associated with the particularcontent in the central fingerprint repository 1139 (e.g., a userassociated with an original exposure event, a user associated with afirst use of an identical or sufficiently similar content fingerprint),combinations of same, and/or the like. In some embodiments, the block1516 can be omitted such that follow-on exposure events are notreported. From block 1516, the process 1500 returns to block 1508 andproceeds as described above. In general, the process 1500 can continueuntil terminated by an administrator or other user or other stopcriteria is satisfied.

For ease of illustration and description, the process 1500 is describedabove relative to a single original exposure event. However, in certainembodiments, the process 1500 can occur with respect to a plurality ofcontent items (e.g., in the central content 1111 and/or the user content1157) and, consequently, with respect to a plurality of exposure events.In some embodiments, the process 1500 can be executed periodically as ascheduled task with respect to a plurality of content items (e.g. in thecentral content 1111 and/or the user content 1157) so as to identifyexposure events and follow-on exposure events. In addition, oralternatively, the process 1500 can monitor for exposure events andfollow-on exposure events continuously.

FIG. 16 presents a flowchart of an example of a process 1600 for ause-based analysis of particular content. The process 1600 can beimplemented by any system that can process data. For example, theprocess 1600, in whole or in part, can be implemented by one or more ofthe central indexing engine 1129, the exposure projection module 1131,the exposure tracking module 1133, the content-reuse detection engine1135, the data access system 1137, the event-density analysis module1151, the user-environment indexing engine 1145, the data request module1147, and/or the presentation module 1149. In some cases, the process1600 can be performed generally by the content-exposure analysis system127 and/or the client 1114. Although any number of systems, in whole orin part, can implement the process 1600, to simplify discussion, theprocess 1600 will be described in relation to the system 1100 of FIG.11.

At block 1602, the content-reuse detection engine 1135 receives arequest to perform a use-based analysis of particular content. Incertain embodiments, the request can result from a scheduled task, anon-demand trigger by an administrator, chief security officer, superuser or other user, a request received via the data access system 1137,combinations of same, and/or the like. In a typical embodiment, therequest identifies the particular content, for example, by one or morecontent fingerprints or other identifier(s).

At block 1604, the content-reuse detection engine 1135 determines acontent fingerprint for the particular content. In cases where thecontent fingerprint is included or specified in the request, thecontent-reuse detection engine 1135 can determine the contentfingerprint directly from the request. In some cases, the contentfingerprint can be determined by searching the central fingerprintrepository 1139 for an identifier included with the request andretrieving a corresponding content fingerprint. In still other cases,the content-reuse detection engine 1135 can generate the contentfingerprint as described, for example, with respect to FIG. 11.

At block 1606, the content-reuse detection engine 1135 compares thecontent fingerprint of the particular content to content fingerprints ofthe central fingerprint repository 1139. At block 1608, thecontent-reuse detection engine 1135 identifies uses of the particularcontent based on the comparison at block 1604. In a typical embodiment,each content fingerprint of the central fingerprint repository 1139which sufficiently matches the content fingerprint of the particularcontent can be considered a use of the particular content. For example,as described with respect to FIG. 11, a content fingerprint of a givencontent item can include a set of sub string fingerprints.

In certain embodiments, for purposes of identifying the uses of theparticular content, the content-reuse detection engine 1135 can computeone or more similarity values for each content item represented in thecentral fingerprint repository 1139 or a subset thereof. In an example,the content-reuse detection engine 1135 could determine, for eachcontent item represented in the central fingerprint repository 1139, anumber or percentage of substring fingerprints of the particular contentwhich match a substring fingerprint of the content item. According tothis example, a given content item of the central fingerprint repository1139 could be considered to sufficiently match the particular content ifits similarity value exceeds a configurable similarity threshold (e.g.,ninety-five percent). In some embodiments, a combination of similaritythresholds can be utilized.

At block 1610, the content-reuse detection engine 1135 generatesanalytics related to the uses identified at block 1608. For example, thecontent-reuse detection engine 1135 could identify an earliest use ofthe uses based on timing information. According to this example, thecontent-reuse detection engine 1135 could further determine a userassociated with the earliest use. The user associated with the earliestuse may be considered an originator of the particular content. Inanother example, each use subsequent to a date and time associated withthe particular content can be identified as a re-use. According to thisexample, the content-reuse detection engine 1135 can further determine auser associated with each identified re-use.

In another example, the content-reuse detection engine 1135 coulddetermine an influence of the particular content. In an example, theinfluence could be determined by how many users have a copy of theparticular content, for example, as a result of receiving identicalfingerprints from multiple clients similar to the client 1114 in thefashion described with respect to FIG. 13. The influence could also be ascore that weights a plurality of numeric factors such as a number ofusers who have a copy of the particular content, a number of users whoare responsible for exposure events of the particular content (e.g., asdetermined from the exposures repository 1141), a number of usersrepresented in the uses identified at block 1608, a number of exposureevents which are exposures outside the organization (e.g., as determineddomains, access control list, platform to which content is beingexposed, etc.), combinations of same and/or the like.

In still another example, the content-reuse detection engine 1135 couldidentify subsequent reuses of the particular content in which contentmetadata has been altered. For instance, the content-reuse detectionengine 1135 could identify any instances in which content metadata hasbeen altered to modify an author field. As another example, thecontent-reuse detection engine 1135 could analyze a virality of theparticular content. In certain embodiments, virality can be a measure ofthe tendency of the particular content to be circulated rapidly andwidely. For example, the content-reuse detection engine 1135 coulddetermine whether the content is stale (e.g., limited distribution asindicated by a number of exposure events below a threshold value, noexposure events within a certain time period such as one month, etc.),“hot” (e.g., acceleration of exposure events, an influence score over athreshold, etc.), “declining” (e.g., deceleration of exposure eventsrelative to a previous time period), combinations of same and/or thelike.

At block 1612, the content-reuse detection engine 1135 can store theanalytics generated at block 1610 and/or information related to theanalytics in the analytics repository 1143. At block 1614, informationrelated to the analytics can be provided, for example, to a requestor(e.g., the presentation module 1149). At block 1616, a report containinginformation related to the generated analytics can be sent to one ormore designated users such as, for example, a user associated with anearliest use of the particular content, a user associated with theparticular content in content metadata (e.g., a user who created or lastedited the particular content), combinations of same and/or the like. Insome embodiments, the block 1616 can be omitted such that no reports aregenerated and sent.

FIG. 17 presents a flowchart of an example of a process 1700 forperforming an event-density analysis of particular content. The process1700 can be implemented by any system that can process data. Forexample, the process 1700, in whole or in part, can be implemented byone or more of the central indexing engine 1129, the exposure projectionmodule 1131, the exposure tracking module 1133, the content-reusedetection engine 1135, the data access system 1137, the event-densityanalysis module 1151, the user-environment indexing engine 1145, thedata request module 1147, and/or the presentation module 1149. In somecases, the process 1700 can be performed generally by thecontent-exposure analysis system 127 and/or the client 1114. Althoughany number of systems, in whole or in part, can implement the process1700, to simplify discussion, the process 1700 will be described inrelation to the system 1100 of FIG. 11.

At block 1702, the event-density analysis module 1151 receives a requestfor event-density analysis of one or more content items. In certainembodiments, the request can result from a scheduled task, an on-demandtrigger by an administrator, chief security officer, super user or otheruser, a request received via the data access system 1137, combinationsof same, and/or the like. In a typical embodiment, the requestidentifies the content items, for example, by one or more contentfingerprints or other identifier(s). For example, the request canindicate a desire for any of the information operable to be generated orstored by the central indexing engine 1129, the exposure projectionmodule 1131, the exposure tracking module 1133, the content-reusedetection engine 1135, and the event-density analysis module 1151. Therequest can also specify filter criteria, which will be described ingreater detail below with respect to FIG. 18.

At block 1704, the event-density analysis module 1151 determines acontent fingerprint for the content items. In cases where the contentfingerprint is included or specified in the request, the event-densityanalysis module 1151 can determine the content fingerprint directly fromthe request. In some cases, the content fingerprint can be determined bysearching the central fingerprint repository 1139 for an identifierincluded with the request and retrieving a corresponding contentfingerprint. In still other cases, the event-density analysis module1151 can generate the content fingerprint as described, for example,with respect to FIG. 11.

At block 1706, the event-density analysis module 1151 compares thecontent fingerprints of the content items to content fingerprints ofcontent items represented in the exposures repository 1141. At block1708, the event-density analysis module 1151 identifies exposure eventsrelated to the content items based on the comparison at block 1706. In atypical embodiment, the event-density analysis module 1151 can identifyexposure events which involve content sufficiently similar to at leastone of the content items. In some embodiments, the event-densityanalysis module 1151 can use similarity values as described with respectto block 1608 of FIG. 16.

At block 1710, the event-density analysis module 1151 arranges theidentified exposure events by time interval of a particular time period.In some embodiments, the particular time period and/or time intervalsthereof can be specified in the request received at block 1702 such thatonly exposure events corresponding to that time period were identifiedat block 1708. For example, the event-density analysis module 1151 couldarrange the events by days of a 30-day time period pursuant to therequest. According to this example, each of the identified exposureevents could be associated with a particular day of the time period. Inother embodiments, the time period can be a time period over which theidentified exposure events occur (e.g., with no time limitation). Inthese embodiments, the time intervals of the time period could be acertain number of equal divisions thereof such as, for example, ten.

At block 1712, the event-density analysis module 1151 determines timedensities of the identified exposure events by content item and timeinterval. For example, for each of the content items identified in therequest received at block 1702, the event-density analysis module 1151could determine a number of exposure events for each time interval ofthe time period. The number of exposure events can be considered anexample of a time density. At block 1714, the event-density analysismodule 1151 provides resultant information to a requestor (e.g., thepresentation module 1149). In some cases, the resultant information canbe stored in the analytics repository 1143 or other memory.

FIG. 18 presents a flowchart of an example of a process 1800 forproviding user analytics related to exposure events. The process 1800can be implemented by any system that can process data. For example, theprocess 1800, in whole or in part, can be implemented by one or more ofthe central indexing engine 1129, the exposure projection module 1131,the exposure tracking module 1133, the content-reuse detection engine1135, the data access system 1137, the event-density analysis module1151, the user-environment indexing engine 1145, the data request module1147, and/or the presentation module 1149. In some cases, the process1800 can be performed generally by the content-exposure analysis system127 and/or the client 1114. Although any number of systems, in whole orin part, can implement the process 1800, to simplify discussion, theprocess 1800 will be described in relation to the system 1100 of FIG.11.

At block 1802, the presentation module 1149 of the client 1114 receivesa user selection of particular content stored in a user environment. Forexample, a user of the client 1114 can graphically select one or morecontent items such as a plurality of files of a file system, all filesof the user environment, etc. The user can be, for example, anadministrator, chief security officer, super user or other user The userselection, or request, can also specify filter criteria, which will bedescribed in greater detail below. At block 1804, the data requestmodule 1147 requests, via the data access system 1137, informationrelated to a level of exposure of the particular content.

In various cases, the request, at the user's direction, can filterexposure events by one or more criteria. For example, in one embodiment,the request could include filter conditions that specify informationgenerated and stored as described in U.S. patent application Ser. No.14/297,944 (“the '944 application”), which application is herebyincorporated by reference. For example, the request could group exposureevents by number of users, by device (e.g., mobile device or non-mobiledevice as described in the '944 application), by department (e.g., asdetermined from a directory service), by IP address (e.g., by specificIP address or whether the IP address is internal or external to anorganization as described in the '944 application), etc.

By way of further example, the request could specify top forwarders orduplicators of the particular content (e.g., a top-N users by totalnumber of exposure events in connection with the content items), mostinfluential forwarders or duplicators (e.g., top ten highest users in anorganizational hierarchy who are responsible for an exposure eventinvolving one of the content items), most-recent exposure events (e.g.,last thirty days), exposure events that are only partial use (e.g., as aresult of having a similarity value of less than one-hundred percent),etc.

By way of additional example, the request could filter the exposureevents to only include exposure events involving content with alteredmetadata (e.g., author, date, file size, number of words etc.), onlyexposure events in which content was exposed to external domains, onlyexposure events involving a particular document type (e.g., documentwith a particular file extension, inline text from email or instantmessaging, etc.), only exposure events involving a particular platform(e.g., only a particular collaboration platform), etc.

At block 1806, the data request module 1147 receives exposureinformation responsive to the request. In various embodiments, theexposure information can be generated by the exposure projection module1131, the exposure tracking module 1133, the content-reuse detectionengine 1135 and/or the event-density analysis module as described withrespect to FIGS. 14-17.

At block 1808, the presentation module 1149 generates a visualization ofthe exposure information. The visualization could be, for example, ascatterplot, pie chart, table, bar chart, geospatial representation,heat map, chord chart, interactive graph, bubble chart, candlestickchart, stoplight chart, spring graph, and/or another type of chart,graph, or manner of displaying data. An example will be described inrelation to FIG. 19. At block 1810, the presentation module 1149publishes the visualization to the user, for example, by causing thevisualization to be displayed to the user.

FIG. 19 illustrates an example of an interactive heat map 1900. Incertain embodiments, the interactive heat map 1900 can be avisualization generated by the presentation module 1149 as describedwith respect to block 1808 of FIG. 18. More particularly, thepresentation module 1149 can generate the interactive heat map 1900based on an output of the event-density analysis module 1151. In theillustrated embodiment, the interactive heat map 1900 indicates timedensities of exposure events for content items 1904. As shown, the timedensities are arranged over a timeline, or time period.

In certain embodiments, the interactive heat map 1900 can permit theuser to graphically select a portion thereof for purposes of obtainingadditional information related thereto. For example, as shown, agraphical selection 1902 of a portion of the interactive heat map canpermit the user to view more detailed information related to theselected exposure events. For example, the presentation module 1149 canprovide information regarding specific exposure events such as, forexample, an interactive report that identifies each exposure event andits corresponding time and content item. In addition, in certainembodiments, the interactive heat map 1900 can permit the user to filterby number of people, device (e.g., specific device, mobile device, ornon-mobile device as described in the '944 application), department, IPaddress (e.g., internal versus external), etc.

Depending on the embodiment, certain acts, events, or functions of anyof the algorithms described herein can be performed in a differentsequence, can be added, merged, or left out altogether (e.g., not alldescribed acts or events are necessary for the practice of thealgorithms). Moreover, in certain embodiments, acts or events can beperformed concurrently, e.g., through multi-threaded processing,interrupt processing, or multiple processors or processor cores or onother parallel architectures, rather than sequentially. Although certaincomputer-implemented tasks are described as being performed by aparticular entity, other embodiments are possible in which these tasksare performed by a different entity.

Conditional language used herein, such as, among others, “can,” “might,”“may,” “e.g.,” and the like, unless specifically stated otherwise, orotherwise understood within the context as used, is generally intendedto convey that certain embodiments include, while other embodiments donot include, certain features, elements and/or states. Thus, suchconditional language is not generally intended to imply that features,elements and/or states are in any way required for one or moreembodiments or that one or more embodiments necessarily include logicfor deciding, with or without author input or prompting, whether thesefeatures, elements and/or states are included or are to be performed inany particular embodiment.

While the above detailed description has shown, described, and pointedout novel features as applied to various embodiments, it will beunderstood that various omissions, substitutions, and changes in theform and details of the devices or algorithms illustrated can be madewithout departing from the spirit of the disclosure. As will berecognized, the processes described herein can be embodied within a formthat does not provide all of the features and benefits set forth herein,as some features can be used or practiced separately from others. Thescope of protection is defined by the appended claims rather than by theforegoing description. All changes which come within the meaning andrange of equivalency of the claims are to be embraced within theirscope.

What is claimed is:
 1. A method comprising, by a computer system:identifying a user-initiated precursor of an anticipated exposure event;in response to the identifying, automatically determining particularcontent that would be exposed if the anticipated exposure event were tooccur; automatically determining one or more users to which theparticular content would be exposed if the anticipated exposure eventwere to occur; before the anticipated exposure event occurs, publishinga result of the automatically determining one or more users to a userassociated with the user-initiated precursor; and in response to adetected occurrence of the anticipated exposure event, monitoring aplurality of communications platforms for follow-on exposure events inrelation to the particular content which chain from the detectedoccurrence of the anticipated exposure event.
 2. The method of claim 1,comprising: in response to a detected follow-on exposure event inrelation to the particular content, automatically determining anexpanded user exposure resulting from the follow-on exposure event; andreporting information related to the expanded user exposure to the user.3. The method of claim 2, wherein the follow-on exposure event isinitiated by a user of the one or more users.
 4. The method of claim 1,wherein the automatically determining one or more users comprises:identifying one or more user indications of recipients of the particularcontent; aggregating users covered by the one or more user indications;quantitatively evaluating an anticipated breadth of the anticipatedexposure event based, at least in part, on the aggregating; and whereinthe publishing comprises providing a result of the quantitativelyevaluating to the user.
 5. The method of claim 4, wherein the one ormore user indications comprise at least one of the following: acarbon-copy indication, a blind-carbon-copy indication, adistribution-list indication, and a user-group indication.
 6. The methodof claim 1, comprising: in response to the detected occurrence of theanticipated exposure event, generating one or more content fingerprintsin relation to the particular content; and storing the one or morecontent fingerprints in a repository of content fingerprints in relationto the user.
 7. The method of claim 6, comprising: comparing aparticular content fingerprint to the content fingerprints of therepository; and identifying at least one content fingerprint of therepository as a subsequent reuse of the particular content fingerprintbased, at least in part, on a result of the comparing.
 8. The method ofclaim 6, comprising: comparing a particular content fingerprint to thecontent fingerprints of the repository; identifying a contentfingerprint of the repository as an earliest use of the particularcontent fingerprint based, at least in part, on a result of thecomparing; and identifying a user associated with the earliest use. 9.The method of claim 6, comprising: comparing at least one contentfingerprint of the one or more content fingerprints to the contentfingerprints of the repository; identifying a subsequent reuse of the atleast one content fingerprint in which content metadata has been alteredto modify an author field; and reporting the subsequent reuse to theuser.
 10. The method of claim 1, wherein the identifying comprisesdetecting the user-initiated precursor.
 11. The method of claim 1,wherein the identifying comprises notification of the user-initiatedprecursor from a client information handling system.
 12. An informationhandling system comprising: a processor, wherein the processor isoperable to implement a method comprising: identifying a user-initiatedprecursor of an anticipated exposure event; in response to theidentifying, automatically determining particular content that would beexposed if the anticipated exposure event were to occur; automaticallydetermining one or more users to which the particular content would beexposed if the anticipated exposure event were to occur; before theanticipated exposure event occurs, publishing a result of theautomatically determining one or more users to a user associated withthe user-initiated precursor; and in response to a detected occurrenceof the anticipated exposure event, monitoring a plurality ofcommunications platforms for follow-on exposure events in relation tothe particular content which chain from the detected occurrence of theanticipated exposure event.
 13. The information handling system of claim12, the method comprising: in response to a detected follow-on exposureevent in relation to the particular content, automatically determiningan expanded user exposure resulting from the follow-on exposure event;and reporting information related to the expanded user exposure to theuser.
 14. The information handling system of claim 13, wherein thefollow-on exposure event is initiated by a user of the one or moreusers.
 15. The information handling system of claim 12, wherein theautomatically determining one or more users comprises: identifying oneor more user indications of recipients of the particular content;aggregating users covered by the one or more user indications;quantitatively evaluating an anticipated breadth of the anticipatedexposure event based, at least in part, on the aggregating; and whereinthe publishing comprises providing a result of the quantitativelyevaluating to the user.
 16. The information handling system of claim 15,wherein the one or more user indications comprise at least one of thefollowing: a carbon-copy indication, a blind-carbon-copy indication, adistribution-list indication, and a user-group indication.
 17. Theinformation handling system of claim 12, the method comprising: inresponse to the detected occurrence of the anticipated exposure event,generating one or more content fingerprints in relation to theparticular content; and storing the one or more content fingerprints ina repository of content fingerprints in relation to the user.
 18. Theinformation handling system of claim 17, the method comprising:comparing a particular content fingerprint to the content fingerprintsof the repository; and identifying at least one content fingerprint ofthe repository as a subsequent reuse of the particular contentfingerprint based, at least in part, on a result of the comparing. 19.The information handling system of claim 17, the method comprising:comparing a particular content fingerprint to the content fingerprintsof the repository; identifying a content fingerprint of the repositoryas an earliest use of the particular content fingerprint based, at leastin part, on a result of the comparing; and identifying a user associatedwith the earliest use.
 20. A computer-program product comprising anon-transitory computer-usable medium having computer-readable programcode embodied therein, the computer-readable program code adapted to beexecuted to implement a method comprising: identifying a user-initiatedprecursor of an anticipated exposure event; in response to theidentifying, automatically determining particular content that would beexposed if the anticipated exposure event were to occur; automaticallydetermining one or more users to which the particular content would beexposed if the anticipated exposure event were to occur; before theanticipated exposure event occurs, publishing a result of theautomatically determining one or more users to a user associated withthe user-initiated precursor; and in response to a detected occurrenceof the anticipated exposure event, monitoring a plurality ofcommunications platforms for follow-on exposure events in relation tothe particular content which chain from the detected occurrence of theanticipated exposure event.